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Abstract 


A  tool  for  Systematic  Error  and  Risk  Analysis  (SERA),  based  on  a  solid  theoretical 
framework  provided  by  the  Information  Processing  (IP)  and  Perceptual  Control  Theory  (PCT) 
models,  has  been  developed  for  investigating  the  human  factors  causes  of  accidents  and 
incidents.  SERA  provides  a  structured  process  for  identifying  both  active  failures  and  the  pre¬ 
conditions  that  led  to  these  failures.  In  the  context  of  this  report,  SERA  is  developed  as  a  tool 
to  help  the  accident  investigator  in  populating  the  Canadian  Forces  version  of  the  Human 
Factors  Accident  Classification  System  or  HFACS.  Yet  SERA  provides  its  own  taxonomy  of 
human  factors  causes  and  could  stand  alone,  independent  of  HFACS,  as  both  an  investigation 
tool  and  as  an  accident  classification  taxonomy.  Because  of  the  strong  separation  between  the 
active  failures  and  pre-conditions  that  mark  the  points  of  intervention  for  the  safety  system, 
SERA  can  be  extended  to  provide  a  risk  management  tool  at  both  the  tactical  (for  operators) 
and  strategic  (for  managers)  levels.  A  concept  for  a  risk  management  tool  is  developed,  based 
on  12  SERA  factors  at  the  tactical  level  and  six  SERA  factors  at  the  strategic  level.  The  use 
of  a  software  tool  for  implementing  the  steps  of  the  SERA  analysis  is  demonstrated. 


Resume 


Un  outil  d’ analyse  systematique  des  erreurs  et  du  risque  (SERA)  a  ete  developpe  pour 
enqueter  sur  les  facteurs  humains  en  cause  dans  les  accidents  et  les  incidents.  II  est  fonde  sur 
un  cadre  theorique  solide  elabore  a  partir  du  modele  de  traitement  de  Tinformation  (TI)  et  de 
celui  des  principes  du  controle  perceptif  (PCP).  La  SERA  offre  un  processus  structure 
permettant  d’identifier  a  la  fois  les  defaillances  actives  et  les  preconditions  ayant  mene  a  ces 
defaillances.  Dans  le  contexte  de  ce  rapport,  la  SERA  a  ete  developpee  en  tant  qu’outil  pour 
aider  les  enqueteurs  sur  les  accidents  a  charger  le  systeme  d’ analyse  et  de  classification  des 
facteurs  humains  (SACFH)  propre  aux  Forces  canadiennes.  Pourtant,  la  SERA  a  sa  propre 
taxonomie  des  causes  de  facteurs  humains  et  pourrait  operer  par  elle-meme,  independamment 
du  SACFH,  comme  un  outil  d’enquete  et  comme  une  taxonomie  de  classification  des 
accidents.  Vu  le  grand  ecart  entre  les  defaillances  actives  et  les  preconditions  amenant  des 
interventions  du  systeme  de  secours,  la  SERA  peut  aussi  servir  d’outil  de  gestion  du  risque 
aux  niveaux  tactique  (pour  les  utilisateurs)  et  strategique  (pour  les  gestionnaires).  Un  concept 
d’outil  de  gestion  du  risque  est  developpe  selon  12  facteurs  SERA  au  niveau  tactique,  et  selon 
6  facteurs  SERA  au  niveau  strategique.  L’utilisation  d’un  outil  logiciel  pour  mettre  en  oeuvre 
les  etapes  de  la  SERA  est  expliquee. 
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Executive  summary 


As  technology  has  become  increasingly  reliable,  accidents  due  to  equipment  and  material 
failure  have  become  rare.  Now  days,  cause  factors  are  more  likely  to  be  attributed  to  the 
human  elements  in  the  system  than  to  the  hardware.  Obviously  the  ability  to  investigate, 
classify  and  track  human  factors  causes  of  accident  and  incidents  is  central  to  preventing  their 
recurrence  or  for  putting  in  place  traps  to  stop  these  ‘human  errors’  from  propagating.  A  tool 
for  human  factors  accident  investigation  and  classification  must  provide  insight  into  why  a 
particular  pattern  of  behaviour  was  observed.  Generally  one  is  concerned  with  the  behaviour 
that  led  directly  to  the  accident  or  incident.  Understanding  why  this  pattern  of  behaviour 
emerged  is  the  key  to  explaining  the  human  factors  issues  associated  with  the  occurrence. 

The  Systematic  Error  and  Risk  Assessment  (SERA)  process  sets  out  to  do  this 

SERA  is  based  on  a  solid  theoretical  framework  provided  by  the  Information  Processing  (IP) 
and  Perceptual  Control  Theory  (PCT)  models.  SERA  provides  a  structured  process  for 
identifying  both  active  failures  and  the  pre-conditions  that  led  to  these  failures.  In  the  context 
of  this  report,  SERA  is  developed  as  a  tool  to  help  the  accident  investigator  in  populating  the 
Canadian  Forces  version  of  the  Human  Factors  Accident  Classification  System  or  HFACS. 

Y et  SERA  provides  its  own  taxonomy  of  human  factors  causes  and  could  stand  alone, 
independent  of  HFACS,  as  both  an  investigation  tool  and  as  an  accident  classification 
taxonomy.  Because  of  the  strong  separation  between  the  active  failures  and  pre-conditions 
that  mark  the  points  of  intervention  for  the  safety  system,  SERA  can  be  extended  to  provide  a 
risk  management  tool  at  both  the  tactical  (for  operators)  and  strategic  (for  managers)  levels. 

A  concept  for  a  risk  management  tool  is  developed,  based  on  12  SERA  factors  at  the  tactical 
level  and  six  SERA  factors  at  the  strategic  level. 

SERA  gains  construct  and  face  validity  from  the  theoretical  models  on  which  it  is  based,  but 
lacks  the  appeal  of  a  tool  that  seen  widespread  field  use  such  as  HFACS.  SERA  has  a  formal 
process  for  its  application  that  suggests  a  greater  level  of  complexity  than  HFACS.  This 
suggestion  of  complexity  is  perhaps  more  imagined  than  real  as  the  SERA  decision  ladders 
are  simple  to  navigate,  although  they  do  demand  that  the  investigator  is  able  to  answer  a  series 
of  questions  related  to  the  operator’s  goals,  state  of  knowledge  of  the  world,  and  their  planned 
actions.  While  this  might  seem  odious,  it  is  hard  to  imagine  that  an  understanding  of  the 
circumstances  of  the  accident  or  incident  can  be  obtained  in  the  absence  of  this  information. 

A  software  tool  that  simplifies  the  process  of  conducting  a  SERA  analysis  is  demonstrated. 
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Sommaire 


Etant  donne  que  la  technologie  est  de  plus  en  plus  fiable,  les  accidents  dus  aux  defaillances  de 
l’equipement  et  du  materiel  sont  de  plus  en  plus  rares.  De  nos  jours,  les  causes  sont  plus 
souvent  qu’autrement  attributes  aux  elements  humains  du  systeme  qu’au  materiel.  II  va  de 
soi  que  Tenquete,  la  classification  et  le  suivi  des  facteurs  humains  en  cause  lors  d’accidents 
sont  essentiels  a  la  prevention  de  leurs  recurrences  et  a  la  pose  de  pieges  pour  empecher  la 
propagation  de  ces  «  erreurs  humaines  ».  Un  outil  d’enquete  et  de  classification  des 
accidents  dus  aux  facteurs  humains  doit  pouvoir  expliquer  pourquoi  un  type  de  comportement 
particular  a  ete  observe.  Habituellement,  on  s’interesse  au  comportement  ayant  directement 
mene  a  l’accident  ou  a  l’incident.  Comprendre  pourquoi  ce  type  de  comportement  est  survenu 
est  la  cle  pour  expliquer  les  facteurs  humains  associes  avec  cet  evenement.  Tel  est  le  r  du 
processus  d’analyse  systematique  des  erreurs  et  du  risque  (SERA). 

La  SERA  se  fonde  sur  un  cadre  theorique  solide  elabore  a  partir  du  modele  de  traitement  de 
l’information  (TI)  et  de  celui  des  principes  du  controle  perceptif  (PCP).  Elle  offre  un 
processus  structure  permettant  d’ identifier  a  la  fois  les  defaillances  actives  et  les  preconditions 
ayant  mene  a  ces  defaillances.  Dans  le  contexte  de  ce  rapport,  la  SERA  a  ete  developpee  en 
tant  qu’ outil  pour  aider  les  enqueteurs  sur  les  accidents  a  charger  le  systeme  d’analyse  et  de 
classification  des  facteurs  humains  (SACFH)  propre  aux  Forces  canadiennes. 

Pourtant,  la  SERA  a  sa  propre  taxonomie  des  causes  de  facteurs  humains  et  pourrait  operer 
par  elle-meme,  independamment  du  SACFH,  comme  un  outil  d’enquete  et  comme  une 
taxonomie  de  classification  des  accidents.  Vu  le  grand  ecart  entre  les  defaillances  actives  et 
les  preconditions  amenant  des  interventions  du  systeme  de  surete,  la  SERA  peut  aussi  servir 
d’ outil  de  gestion  du  risque  aux  niveaux  tactique  (pour  les  utilisateurs)  et  strategique  (pour  les 
gestionnaires).  Un  concept  d’outil  de  gestion  du  risque  est  developpe  selon  12  facteurs  SERA 
au  niveau  tactique,  et  selon  6  facteurs  SERA  au  niveau  strategique. 

La  SERA  gagne  en  validite  conceptuelle  et  apparente  sur  le  modele  a  partir  duquel  il  est 
fonde,  mais  il  lui  manque  encore  l’attrait  de  1’ outil  ayant  ete  utilise  a  grande  echelle  sur  le 
terrain,  comme  le  SACFH.  La  SERA  possede  un  processus  officiel  pour  son  application,  ce 
qui  suggere  une  plus  grande  complexite  que  le  SACFH.  Cette  complexite  possible  tient  plus 
de  la  fiction  que  de  la  realite,  etant  donne  qu’il  est  simple  de  naviguer  parmi  les  echelons  de 
decision  de  la  SERA;  par  contre,  il  faut  que  Tenqueteur  puisse  repondre  a  une  serie  de 
questions  sur  les  buts  de  l’utilisateur,  sur  l’etat  de  ses  connaissances  sur  le  monde  et  sur  ses 
actions  prevues.  Bien  que  cela  puisse  sembler  choquant,  il  est  difficile  d’imaginer  qu’une 
comprehension  des  circonstances  menant  a  l’accident  ou  a  l’incident  soit  possible  en 
l’absence  de  ces  informations.  Un  outil  logiciel  simplifiant  le  processus  de  la  conduite  d’une 
SERA  est  demontre. 
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Introduction 


As  technology  has  become  increasingly  reliable,  accidents  due  to  equipment  and  material 
failure  have  become  rare.  Now  days,  cause  factors  are  more  likely  to  be  attributed  to  the 
human  elements  in  the  system  than  to  the  hardware.  Obviously  the  ability  to  investigate, 
classify  and  track  human  factors  causes  of  accident  and  incidents  is  central  to  preventing  their 
recurrence  or  for  putting  traps  in  place  to  stop  these  ‘human  errors’  from  propagating.  The 
Human  Factors  Analysis  and  Classification  System  (HFACS)  is  one  such  system  (Shappell 
and  Wiegmann,  2000).  HFACS  draws  on  the  influential  work  of  Reason  (1990)  which 
recognizes  not  just  the  existence  of  the  unsafe  acts  committed  by  the  operators  or  crew 
directly  involved  in  the  accident  or  incident,  but  the  presence  of  pathogens  lying  dormant  in 
the  system  that  make  the  unsafe  acts  more  likely.  Reason’s  Latent  Failures  Model  (Figure  1) 
has  had  an  enormous  influence  on  how  human  error  and  risk  management  is  currently  viewed. 
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Figure  1.  James  Reason’s  Latent  Failures  Model  for  accidents  and  incidents. 

Reason  proposes  three  levels  of  latent  factors  that  precede  the  active  failure  and  pre-dispose 
the  system  to  generate  the  unsafe  act,  namely: 

•  psychological  precursors; 
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•  line  management  deficiencies;  and 

•  fallible  management  decisions. 

In  Reason’s  terms,  when  defences  fail  at  all  of  these  levels  then  these  latent  factors  and  active 
failures  are  allowed  to  propagate  resulting  in  an  accident  or  incident.  Shappell  and  Wiegmann 
(2000)  have  re-cast  Reason’s  latent  conditions  into  what  are  largely  equivalent  terms,  namely: 

•  pre-conditions  for  unsafe  acts; 

•  unsafe  supervision;  and 

•  organizational  influences. 

Yet  despite  the  elegance  of  Reason’s  work,  and  the  insight  it  has  provided  for  human  error 
management,  it  has  been  argued  that  the  Latent  Failures  Model  lacks  a  theoretical  basis  for 
connecting  cause  and  effect.  For  example,  see  Hendy  and  Lichacz  (1999,  p658): 

“  ...It  is  important  to  note  that  Reason ’s  latent  failures  are  not  outcome 
failures  but  instead  are  conditions  that  can  lead  to  outcome  failures...  While 
these  ‘ conditions  ’for  human  error  provide  valuable  insights  into  our 
understanding  of  human  error  production,  Reason ’s  Latent  Failure  Model 
lacks  a  theoretical  framework  of  the  human  information  processor  from 
which  to  derive  predictions  about  why  and  when  these  latent  failures  will  be 
triggered.  ” 

Two  theoretical  models  are  advanced  to  address  this  criticism. 

“...The  Information  Processing  /  Perceptual  Control  Theory  model  provides 
a  framework  which  is  consistent  with  the  view  of  the  human  as  a  goal- 
directed,  error-correcting  system  and  provides  a  context  from  which  to 
discuss  the  why  and  when  components  lacking  from  Reason ’s  model,  and 
ultimately  support  for  a  CRM  or  error  management  program .” 

Together  the  Information  Processing  (IP)  and  Perceptual  Control  Theory  (PCT)  models 
provide  the  structure  for  an  error  and  risk  management  system.  The  use  of  theoretical  models 
carries  with  it  the  possibility  that  cause  and  effect  might  be  connected  through  the  theoretical 
framework  in  clear  and  unambiguous  terms.  Further,  a  theoretically  driven  approach  is  more 
likely  to  yield  a  complete  and  orthogonal  classification  system  than  what  might  be  described 
as,  at  best,  a  descriptive  model. 

This  report  describes  the  Systematic  Error  and  Risk  Analysis  process  or  SERA.  SERA 
provides:  a  tool  for  investigating  the  human  factors  issues  of  accidents  and  incidents;  a 
potential  accident  and  incident  classification  taxonomy;  and  the  basis  for  a  risk  management 
tool  at  both  the  tactical  and  strategic  levels.  A  bridge  is  also  developed  between  the  SERA 
categories  and  HFACS  so  that  the  results  of  a  SERA  analysis  can  be  recast  for  entry  into  a 
HFACS  database. 
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A  Theoretical  Basis 


The  IP  Model  is  described  in  detail  elsewhere  (Hendy,  East,  and  Farrell,  2001b;  Hendy,  Liao, 
and  Milgram,  1997).  The  essence  of  the  IP  model  is  that  all  factors  that  impact  on  human 
cognitive  workload  can  be  reduced  to  their  effects  on  the  amount  of  information  to  be 
processed  and  the  amount  of  time  available  before  the  decision  has  to  be  actioned.  From  this 
position,  it  can  be  shown  that  if  humans  are  limited  at  the  rate  at  which  they  process 
information  then  operator  workload,  performance,  and  error  production  are  all  functions  of  the 
time  pressure.  Time  Pressure  is  proportional  to: 


Time  Pressures. 


Amount  of  information  to  be  processed 
Time  available 


which,  at  a  constant  rate  of  processing,  reduces  to, 


Time  to  process  information 

Time  Pressure = - ; - -f— - 

Time  available 


The  IP  Model  is  about  time  and  the  information  to  be  processed  (knowledge).  The  IP  model 
applies  everywhere  in  the  human  cognitive  system  where  information  is  being  processed. 


Figure  2.  The  multi-layered  Perceptual  Control  loop  for  a  human  operator  interacting  with  the  world. 

The  PCT  Model  (Powers,  1973)  argues  that  humans  behave  as  multi-layered  closed  loop 
control  systems  (See  Figure  2).  The  set  points  for  these  control  loops  are  our  perceptual  goals 
(or  how  we  want  to  see,  hear,  feel,  taste,  or  smell  the  state  of  the  world).  According  to  PCT, 
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we  sense  the  world  state,  forming  a  perception  of  that  state  which  we  then  compare  with  our 
goal  (as  shown  by  the  £  sign  in  Figure  2  which  represents  the  mathematical  summing 
operation).  If  there  is  a  difference  between  our  perceived  and  desired  states,  we  formulate  an 
action.  This  action  is  implemented  in  order  to  operate  on  the  world  so  as  to  drive  the 
perceived  state  of  the  variables  of  interest  towards  the  goal.  The  perceptual  processes  and  the 
decisional  processes  draw  on  internal  knowledge  states  that  transform  sensation  to  perception, 
and  difference  to  action.  Our  attentional  mechanism  shifts  our  focus  from  loop  to  loop  to 
loop.  The  PCT  model  is  therefore  about  Goals,  Attention,  Knowledge  and  Feedback. 

The  IP  model  acts  wherever  there  are  data  transformation  or  information  processing  actions. 
These  occur  in  the  perceptual  processes,  the  decisional  processes  and  in  the  internal  world 
model  processes.  Combining  the  IP  and  PCT  models  it  is  shown  that  human  decision-making 
depends  on  the  management  of  time,  knowledge  and  attentional  resources  (Hendy  and 
Lichacz,  1999). 


The  bottom  line 

The  principal  points  of  the  combined  IP/PCT  model  can  be  summarised  in  the  following  6 
edicts: 


1.  Time  pressure 

Error  production,  level  of  performance  and  perceptions  of  workload  all  depend  on  the 
perceived  time  pressure. 

2.  Speed  and  accuracy  trade-off 

In  human  information  processing  —  what  might  be  colloquially  called  decision¬ 
making  —  speed  and  accuracy  trade-off. 

3.  Reducing  time  pressure 

There  are  two,  and  only  two,  fundamental  time  management  strategies  for  reducing 
the  perceived  time  pressure 

•  Make  the  decision  simpler  resulting  in  less  information  to  process  (use  rules 
of  thumb  or  heuristics,  prioritise,  delegate,  postpone,  schedule,  pre-plan  etc.). 

•  Extend  the  time  before  you  have  to  respond. 


4.  Error  management 

A  feedback  system  is  error  correcting. .  .all  error  correcting  systems  use  feedback. 
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5.  Resource  management 

The  decisions  you  make  draw  on  what  you  know  of  the  world  (the  content  of  all  your 
internal  knowledge  structures  -  you  may  not  be  consciously  aware  of  all  items  in  your 
knowledge  structures).  To  know  you  must  attend1,  to  attend  you  must  have  time. 
This  is  particularly  relevant  in  talking  about  the  transient  or  situationally  specific 
knowledge  called  Situation  Awareness  or  SA  (e.g.,  see  Endsley,  1993). 

6.  Ignorance  is  NOT  bliss 

What  you  don’t  know  can  hurt  you  (see  edict  5  above). 


1  Actually  this  could  be  re-stated  as  “To  know  you  must  control,  and  to  control  you  must  have  time.” 
This  applies  strictly  to  those  loops  that  compete  for  common  processing  structures  and  hence  compete 
for  processing  time  (see  Hendy,  K.  C.,  and  Farrell,  P.  S.  1997).  This  statement  will  generally  apply  to 
those  activities  that  are  accessible  to  conscious  thought.  It  may  not  be  true  of  those  loops  that  said  to  be 
pre-attentive  or  those  that  are  not  available  to  consciousness.  In  IP  model  terms,  these  activities 
involve  dedicated  single  purpose  neural  networks  and  therefore  there  is  no  competition  for  processing 
time. 
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A  Tool  for  Accident  Investigation  and  Classification 
(SERA) 


A  tool  for  human  factors  accident  investigation  and  classification  must  provide  insight  into 
why  a  particular  pattern  of  behaviour  was  observed.  Generally  one  is  concerned  with  the 
behaviour  that  led  directly  to  the  accident  or  incident.  Understanding  why  this  pattern  of 
behaviour  emerged  is  the  key  to  explaining  the  human  factors  issues  associated  with  the 
occurrence.  Using  the  theoretical  constructs  of  the  IP/PCT  model,  the  Systematic  Error  and 
Risk  Analysis  (SERA)  process  sets  out  to  do  this. 

IP/PCT  is  used  to  establish  a  consistent  framework  for  linking  cause  to  effect.  SERA  attempts 
to  be  exhaustive  and  establish  an  orthogonal  set  of  failure  descriptors  from  which  points  of 
intervention  might  be  proposed.  In  all  accident  or  incident  investigation,  the  key  to  the 
process  is  to  identify  the  point  at  which  there  was  a  departure  from  safe  operation. 


Figure  3.  Accident  and  incident  trajectories. 

Departure  from  safe  operation 

If  there  has  been  an  accident  or  incident  there  must  have  been  a  departure  from  safe  operation 
at  some  point  in  the  timeline  (see  Figure  3).  Some  world  state  must  have  gone  outside 
acceptable  limits  (e.g.,  clearance  from  terrain,  separation  from  another  aircraft,  the  installation 
of  the  wrong  part,  the  torque  on  a  fastener).  An  observable  unsafe  act  or  unsafe  condition  will 
mark  this  point.  A  particular  unsafe  act  or  unsafe  condition  is  on  the  accident  or  incident 
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trajectory,  if  its  removal  or  modification  would  have  prevented  the  accident  or  incident  from 
occurring.  The  most  critical  unsafe  act  or  condition  is  that  from  which  there  is  only  one 
trajectory. .  .the  one  that  led  directly  to  the  accident  or  incident.  Up  until  that  critical  act  or 
condition,  there  are  always  options,  but  once  the  critical  decision  has  been  made  there  is  no 
way  back. 

WHAT  IS  AN  UNSAFE  act?  An  act  is  something  that  someone  has  done. .  .it  is  observable. .  .it 
is  the  outcome  of  a  decision  (e.g.,  “. .  .the  pilot  initiated  a  roll  and  pull-through  manoeuvre 
from  2500ftAGL).  You  might  have  risky  intentions,  but  until  such  time  as  you  take  action 
there  is  no  unsafe  act.  Having  a  risky  goal  does  not  constitute  an  unsafe  act  until  something  is 
done  about  it,  although  announcing  your  intent  to  another  party  may  be  considered  an  unsafe 
act  if  there  is  an  expectation  that  the  intent  will  be  carried  out. 

WHAT  IS  AN  UNSAFE  CONDITION?  A  condition  is  some  state  of  the  world.  It  also  is 
observable  (e.g.,  “. .  .the  aircraft  descended  below  the  MDA  without  the  runway  in  sight”). 
Here  you  are  describing,  “. .  .what  was”  rather  than  “. .  .what  was  done.” 

WHO  DO  YOU  START  WITH?  One  would  start  with  the  operators  or  crews  who  were  directly 
involved  in  the  unsafe  act  or  unsafe  condition.  These  are  the  operators  or  crews  who  were 
controlling  the  variable(s)  that  went  out  of  the  acceptable  range(s).  One  is  trying  to  find  out 
why  these  particular  operators  or  crews  were  involved  in  an  accident  or  incident.  For  other 
operators  or  crews,  under  the  same  pre-conditions,  the  outcome  may  have  been  different. 

Now  you  need  to  find  out  what  were  the  points  of  failure  that  led  to  the  unsafe  acts  or 
conditions. 


Why  did  they  do  that? 

From  PCT  it  is  predicted  that  the  answer  to  the  question  “. .  .why  did  they  do  that?”  is 
generally  resolvable  once  you  know: 

•  what  a  person’s  goal  is; 

•  how  they  perceived  the  world;  and 

•  how  they  were  trying  to  achieve  the  goal. 

Hence,  if  you  wish  to  know  why  someone  is  behaving  in  a  particular  fashion  you  must  start 
with  the  following  three  questions  (see  Figure  4). 


GOAL:  What  was  the  person  trying  to  achieve. .  .what  was  the  intent? 

PERCEPTION :  What  did  the  person  believe  was  the  state  of  the  world  with  respect  to  the 
goals? 

ACTION :  How  was  the  person  trying  to  achieve  the  goals. .  .what  was  the  plan? 
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From  the  answers  to  these  questions  you  can  trace  a  causal  chain  from  an  unsafe  act  to  the 
active  points  of  failure.  Within  the  PCT  construct,  active  points  of  failure  might  be  found  in 
one  or  more  of  the  PERCEPTUAL,  GOAL  setting,  or  ACTION  selection  and  execution 
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Figure  4.  Three  questions  to  ask. 
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Describe  the  unsafe  act  or  unsafe  condition 


•ailure  in  the 
decision  making 
j^^process 

Feedback 

jr  failure  ^ 


1  w  ^  Feedback  ^ 
~  >  failure 


Figure  5.  PCATCT  decision  ladders. 
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processes.  Time  pressure,  and  the  state  of  knowledge  held  by  the  operator  at  the  time  the 
decision  was  made,  will  bound  the  domain  within  which  the  active  failures  occur.  Figure  5 
traces  a  complete  process,  presented  as  a  series  of  decision  ladders,  that  starts  with  the 
answers  to  these  three  questions  and  finishes  with  twelve  basic  types  of  active  failures  in  the 
human  information  processing  system.  A  process  for  navigating  these  decision  ladders  is 
described  in  detail  at  Annex  B  to  this  report. 


Active  failures 

The  decision  ladders  of  Figure  5  lead  to  twelve  basic  types  of  active  failure,  as  follows. 

1.  Intent  Failure; 

2.  Attention  Failure; 

3.  Sensory  Failure; 

4.  Knowledge  (Perception)  Failure; 

5.  Perception  Failure; 

6.  Communication/Information  Failure; 

7.  Time  Management  Failure; 

8.  Knowledge  (Decision)  Failure; 

9.  Ability  to  Respond  Failure; 

10.  Action  Selection  Failure; 

11.  Slips,  Lapses  and  Mode  Errors; 

12.  Feedback  Failure. 

Detailed  definitions  of  each  of  these  active  failures  can  be  found  in  Annex  A  of  this  Report. 
Figure  6  shows  the  points  of  active  failure  mapped  against  the  structure  of  the  perceptual 
control  loop. 


Pre-conditions  to  active  failures 

Reason’s  Latent  Failures  Model  provides  two  points  of  focus,  the  active  failures  themselves 
and  the  pre-conditions  that  made  the  active  failures  more  likely.  The  explicit  representation 
of  latent  or  dormant  pathogens  in  the  system  is  perhaps  the  greatest  contribution  of  Reason’s 
work  to  error  management. 

In  SERA  the  four  levels  of  Reason’  Latent  Failures  Model  are  expressed  as  follows  (see 
Figure  7): 

1.  Active  failures:  the  twelve  points  of  breakdown  in  the  human  information  processing 
system. 

2.  Pre-conditions:  these  are  factors  that  are  directly  and  immediately  connected  to  the 
unsafe  act  or  condition.  They  are  defined  in  terms  of: 
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o  the  condition  of  the  personnel, 

o  the  condition  of  the  task  (time  pressure  and  objectives),  and 

o  the  working  conditions  (equipment,  workspace  and  environment). 

These  three  categories  of  immediate  pre-conditions  describe  the  condition  of  WHO 
was  involved  in  the  unsafe  act,  in  the  service  of  WHAT  task,  WHY  the  task  is  taking 
place,  and  WHERE  (in  other  words,  the  environment,  including  the  equipment  and 
workspace;  cf.  the  SHEL  model  of  Edwards,  1988)  it  is  performed.  Time  of  day 
(WHEN)  effects  will  be  reflected  in  both  the  physiological  condition  of  the  personnel 
(e.g.,  circadian  effects)  and  in  the  environmental  conditions  (e.g.,  ambient  light 
levels). 

3.  Organizational  influences:  these  are  remote  factors  that  establish  the  purpose  of  the 
activities  to  be  performed,  control  the  resources,  define  the  climate  within  which  the 
activities  are  to  be  performed,  set  constraints  that  bound  behaviour  though 
procedures,  rules  and  regulations,  and  provide  oversight. 

4.  Command,  Control  and  Supervision  failures:  these  are  defined  in  terms  of  forming 
strategic  goals,  the  communication  of  those  goals,  and  the  provision  of  error 
correcting  feedback.  The  Command,  Control  and  Supervisory  process  is  the  conduit 
whereby  the  organisational  layer  affects  the  immediate  pre-conditions. 

Figure  7  retains  the  basic  form  of  E1FACS  (Shappell  and  Wiegmann,  2000)  but  differs  in 
detail.  Within  the  framework  of  Figure  7,  the  activities  of  the  personnel  can  be  traced  back  to 
strategic  goals,  shaped  by  organisational  constraints,  that  flow  from  the  Mission,  down 
through  the  Command,  Control  and  Supervisory  processes,  and  emerge  as  task  objectives. 
Figure  7  is  consistent  with  the  PCT  view  that  all  human  systems  are  purposeful  goal  driven 
systems.  Organisational  influences  determine  the  factors  that  constrain  this  purposeful  goal 
driven  system,  and  shape  the  goals  that  are  actually  serviced  as  distinct  from  those  that  should 
be  pursued  in  the  achievement  of  the  mission  objectives  (of  course  in  a  healthy  and  effective 
system  these  will  be  identical). 

It  is  intended  that  SERA  is  sufficiently  complete  as  a  classification  system  to  capture  most 
human  factors  failures  and  all  reasonable  points  of  intervention.  While  the  active  failure  layer 
in  SERA  is  directly  traceable  to  IP/PCT,  the  pre-conditions  shown  in  Figure  7  are  less 
bounded  by  theory.  The  taxonomies  investigated  by  Wiegmann  and  Shappell  (1997)  apply 
only  to  the  active  failures,  which  are  already  comprehensively  covered  by  IP/PCT,  and 
therefore  provide  no  further  guidance.  HFACS  draws  obscurely  on  several  descriptive 
models  through  its  linkage  with  The  Taxonomy  of  Unsafe  Operations  (Shappell  and 
Wiegmann,  1997),  but  again  there  is  no  clear  guidance.  Although  one  might  be  guided  by 
concepts  of  hierarchical  systems  decompositions  such  as  Hierarchical  Goal  Analysis  (see 
Hendy,  Beevis,  Fichacz,  et  al.,  2001),  the  arguments  for  the  remaining  layers  in  Figure  7  are 
constrained  to  be  somewhat  qualitative. 

The  immediate  pre-conditions  of  Figure  7  include  the  fundamental  conditions  of  at  least  three 
of  the  four  factors  in  the  SHEF  model  of  Edwards  (1988),  namely: 

[HJardware  -  physical  resources  such  as  buildings,  vehicles,  equipment,  and  materials. 
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[Environment  -  the  physical  and  social  environment  (the  economic  and  political  climate  will 
be  seen  at  the  organisational  level  in  SERA). 

[Liveware  -  the  human  resources. 
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Figure  6.  Active  points  of  failure. 
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Figure  7.  Active  failures  and  three  layers  of  pre-conditions. 
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The  fourth  factor  [S]oftware  -  the  rules,  regulations,  laws,  orders,  SOPs,  customs,  practices 
and  habits,  is  contained  in  the  organisational  layer  of  Figure  7.  It  is  reasonable  to  regard  the 
condition  of  the  personnel  [L],  the  condition  of  the  hardware  [H]  including  both  displays  and 
controls,  and  the  condition  of  the  physical  and  social  environments  [E]  as  being  immediate  to 
the  active  failure.  This  captures  the  conditions  of  the  personnel  in  the  context  of  the  physical 
working  environmental.  The  only  thing  missing  is  the  condition  of  the  task,  which  is  implicit 
in  the  SHEL  model  because  it  defines  the  nature  of  the  interactions.  Therefore,  the  three 
factors  of  Figure  7  (PERSONNEL,  TASK  and  WORKING  ENVIRONMENT)  appear  to  provide 
the  framework  for  a  complete  classification  of  immediate  pre-conditions. 

Sitting  remotely  to  the  personnel  involved  in  the  active  failure  is  the  organisation.  The 
organisation  (or  more  correctly  the  people  within  the  organisation)  sets  strategic  goals  in  the 
statement  of  the  mission,  provides,  develops  and  sustains  resources  to  achieve  that  mission, 
establishes  procedures  and  practices  for  carrying  out  mission  related  activities  within  the 
constraints  of  both  an  internally  and  externally  imposed  system  of  authority  (rules  and 
regulations),  and  creates  a  climate  that  shapes  the  attitudes  of  all  who  serve  that  organisation. 
The  organisation  must  also  monitor  itself  to  see  if  the  mission  is  being  achieved.  These 
endeavours  capture  the  organisation’s  prime  functions  at  this  level. 

The  Command,  Control  and  Supervisory  process  connects  these  two  layers  through  a  two-way 
flow  of  information  (downwards  through  command  and  upwards  through  monitoring  and 
supervision).  These  concepts  will  be  defined  in  more  detail  later  in  this  report. 


Condition  of  the  Personnel 

The  condition  of  the  personnel  is  described  by  the  following  seven  states.  These  seven  states 
describe  the  condition  of  the  individuals,  working  both  individually  and  as  a  team  or  group. 

•  Physiological, 

•  Psychological, 

•  Social, 

•  Physical  capability, 

•  Personnel  readiness, 

•  Training  and  selection,  and 

•  Qualification  and  authorization; 

Together  these  conditions  impact  all  components  of  the  IP/PCT  model  and  hence  the  human 
decision  maker.  The  personnel  factors  are  fully  described  in  Annex  A. 
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Condition  of  the  task 


The  condition  of  the  task  is  described  by  two  factors,  namely: 

•  the  time  pressure,  and 

•  the  objectives. 

Together  these  conditions  determine  the  two  factors  of  the  IP  model  (Hendy,  et  al.,  1997),  that 
is,  the  time  pressure  personnel  are  under  and  the  amount  of  uncertainty  that  has  to  be  resolved. 
The  objectives  also  define  the  nature  of  the  task;  they  also  drive  goal  setting  and  hence  risk 
management.  Detailed  definitions  of  these  factors  can  be  found  in  Annex  A  of  this  Report. 

Working  conditions 

The  working  conditions  describe  all  aspects  of  the  physical  environment  in  which  the  job  is 
performed,  including  the  operator  interface,  the  physical  arrangement  of  the  workspace  and 
environmental  factors  such  as  temperature,  noise,  vibration,  atmospheric,  and  weather.  The 
working  conditions  are  described  in  terms  of: 

•  Equipment  (Tools  of  the  Trade); 

•  Workspace; 

•  Environment. 

Refer  to  Annex  A  for  detailed  definitions  of  these  factors. 

Failures  in  Command,  Control  and  Supervision 

The  concepts  of  Command,  Control  and  Supervision  used  in  SERA  derive  from  PCT. 
Command,  Control  and  Supervision  are  essentially  goal  driven  human  activities  and  as  such 
they  can  be  represented  by  the  perceptual  control  loop.  McCann  and  Pigeau  (1999)  define 
Command  and  Control  in  the  following  terms  “...Command  [is]  the  creative  expression  of 
human  will  necessary  to  accomplish  the  mission  and  Control  [is  concerned  with]  those 
structures  and  processes  devised  by  Command  to  manage  risk.”  If  framed  in  PCT  terms,  we 
see  that  Command  involves  the  formation  and  communication  of  the  Commander’s  intent, 
while  Control  deals  with  those  aspects  involved  in  risk,  and  by  inference  error,  management. 

Hence  a  Command  and  Control  process  needs  to  support  the  following  top-down  and  bottom- 
up  activities  (see  Figure  8  for  the  representation  of  a  Commander  or  Supervisor  interacting 
with  a  single  human  operator  or  machine. .  .this  can  be  generalised  from  a  one-to-one  to  a  one- 
to-many  setting  by  giving  more  operators  access  to  the  world  variables): 

Command 

Goal  setting  process:  Forming  Intent 
Output  process:  Communicating  Intent 
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Control 


Input  process:  Monitoring  and  supervision. 

If  we  agree  that  a  comprehensive  Command  and  Control  process  should  support  the  forming 
and  communication  of  intent  from  the  highest  levels  in  the  organization  right  down  to  the 
operators  that  are  actually  performing  the  mission  activities,  then  supervision  is  also  seen  to 
be  part  of  Command  and  Control.  Hence,  a  Supervisor  carries  out  the  activities  associated 
with  the  Command  and  Control  process,  but  at  a  level  appropriate  to  the  Supervisory  rather 
than  the  Command  role.  To  complete  the  Command,  Control  and  Supervisory  process,  those 
being  commanded  or  supervised  need  to  correctly  perceive  and  accept  the  Commander’s  or 
Supervisor’s  intent,  form  appropriate  goals,  and  carry  out  activities  that  are  directed  at 
satisfying  that  intent. 

The  performance  of  the  whole  Command,  Control  and  Supervisory  process  can  be  assessed  by 
measuring  the  appropriateness  of  the  Formed  Intent  with  respect  to  achieving  objectives,  by 
how  correctly  the  intent  is  perceived  (how  well  was  the  Intent  Communicated)  by  the  subject 
audience,  and  by  how  well  ill- formed  actions  and  Disturbances,  that  drive  the  world  variables 
away  from  the  desired  states,  are  detected  and  corrected  (Monitoring  and  Supervision). 
The  latter  includes  those  actions  that  are  deliberately  contrary  to  the  communicated  intent. 


COMMANDER  OR  SUPERVISOR  WORLD 

.  J  .  Disturbances 


Figure  8.  The  Command,  Control  and  Supervisory  process. 


Either  humans  or  machines  can  be  commanded  or  supervised  (Hendy,  Beevis,  Lichacz,  et  al., 
2001).  The  processes  shown  in  Figure  8  remain  the  same,  although  we  might  say  that  the 
machine  has  a  set  point  rather  than  a  goal  (an  essentially  human  function),  and  the  machine 
might  not  dynamically  determine  the  value  of  this  set  point  (as  does  a  human  when  forming 
intent).  Generally  a  machine  will  merely  respond  to  new  input  from  the  human.  Until  real 
machine  intelligence  emerges,  machines  reflect  human  intent  rather  than  forming  their  own. 
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If  machines  or  automated  systems  are  put  in  the  supervisory  or  monitoring  role2,  the  functions 
shown  on  the  left  hand  side  of  Figure  8  would  now  have  to  be  performed  by  the  machine.  The 
machine  would  have  to  present  the  required  states  to  those  supervised  and  monitor  progress 
towards  these  states  to  fulfil  the  supervisory  function.  Because  the  set  points  are  usually 
constant,  progress  towards  the  required  state  is  often  presented  in  the  form  of  the  difference 
between  a  set  point  and  the  current  state. 


2 

We  are  not  yet  at  the  situation,  and  may  be  a  long  way  from  embracing  the  concept,  where  a  non¬ 
human  is  given  Command  authority.  One  might  imagine  machines  in  a  supervisory  role  first. 
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In  summary,  Command,  Control  and  Supervision  are  described  by  the  following  factors3  in 
SERA: 

•  Forming  Intent: 

•  Communication  of  Intent: 

•  Monitoring  and  Supervision: 

In  Annex  A  of  this  Report,  each  of  these  factors  is  described  in  detail. 

Organizational  failures 

Organizational  influences  are  at  the  highest  level  in  Reason’s  Latent  Failure  Model.  These 
factors  potentially  affect  the  conditions  of  the  personnel,  the  task  or  the  working  conditions. 
They  are  linked  to  the  immediate  pre-conditions  through  the  Command,  Control  and 
Supervisory  process.  Six  organizational  influences  have  been  identified,  namely: 

•  MISSION:  What  the  organization  is  supposed  to  achieve. . . 

•  PROVISION  OF  Resources:  What  the  organization  uses  to  achieve  the  mission. ... 

•  RlJT.ES  AND  REGULATIONS:  Constraints  on  the  process  the  organization  uses  to 
achieve  the  mission. . . 

•  Organizational  Processes,  and  Practices:  The  way  the  organization  should 
do  it  (i.e.,  achieve  the  mission). . . 

•  Organizational  Climate:  Establishes  attitudes  that  affect  how  the  people  in  the 
organization  perceive  the  mission,  what  they  actually  do,  and  how  they  actually  do 
it... 

•  OVERSIGHT :  Provides  feedback  so  that  managers  can  form  a  perception  of 
organizational  health  (how  well  it  is  achieving  its  mission).  Feedback  is  the  stimulus 
for  organizational  change. 

These  processes  are  shown  in  Figure  9,  mapped  onto  a  PCT  loop  for  the  Organization. 
Detailed  definitions  of  each  of  these  factors  can  be  found  in  Annex.  A.  If  the  organization  is 
to  meet  the  challenges  of  a  changing  world  environment,  this  loop  has  to  be  adaptive.  In  other 


3 

Note  that  a  very  clear  distinction  is  made  between  the  people  occupying  the  positions  of  the 
Commander  or  the  Supervisor,  and  the  processes  used  by  these  people.  Obviously  a  Commander 
commands  but  also  should  control ,  just  as  a  Supervisor  should  form  and  communicate  intent  as  well  as 
monitor  and  supervise.  This  distinction  is  particularly  important  in  examining  systems  that  have 
broken  down.  Where  did  supervision  breakdown?  Was  it  in  the  forming  or  communicating  of  the 
Supervisor’s  intent,  or  was  it  in  the  monitoring  process  used  by  the  Supervisor?  Each  type  of  failure 
will  require  a  different  form  of  intervention. 
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words,  the  mission,  provision  of  resources,  rules  and  regulations,  processes  and  organizational 
climate  may  all  have  to  adapt  as  circumstances  change.  Oversight  closes  the  loop  and 
provides  the  error  correcting  feedback  that  drives  this  adaptive  process.  Without  oversight 
and  a  process  for  managing  change,  the  organization  will  be  static  and  unchanging.  The 
health  of  the  organization  is  perceived  by  those  in  management  from  data  fed  back  through 
the  oversight  process. 


Figure  9.  Organizational  influences  potentially  contributing  to  active  failures. 


This  process  provides  the  Loop  4  level  feedback  in  Reason’s  systems  safety  management 
model  (see  Figure  10).  While  the  lower  level  loops  in  Figure  10  are  provided  by  accident 
classification  and  investigation  systems  (e.g.,  F1FACS,  SERA)  and  Control  and  Supervisory 
functions,  Loop  4  feedback  is  often  missing  in  an  organization.  Note  that  in  Figure  10, 
SERA’s  Immediate  Pre-conditions  (Personnel,  Task,  Working  Conditions)  replace  Reason’s 
more  limited  Psychological  Precursors. 


Linking  pre-conditions  with  active  failures 

With  the  hierarchical  breakdown  of  Figure  7  it  is  possible  to  link  each  active  failure  with  a  set 
of  most  likely  pre-conditions  as  summarised  in  Table  1.  The  pre-conditions  mark  the  points 
of  intervention  for  the  safety  system  as  shown  in  Figure  11.  Interventions  are  intended  to 
reduce  the  probability  that  the  same  set  of  active  failures  will  occur  given  similar 
circumstances.  Active  failures  represent  ‘what  happened’ . .  .but  they  can  be  traced  to 
fundamental  limitations  in  the  human  sensory,  response  or  information  processing  systems. 
These  are  things  that  are  unlikely  to  change,  they  are  part  of  human  capabilities  and 
limitations.  There  is  relatively  little  point  in  telling  a  person  to  attend  and  be  more  vigilant  in 
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a  sustained  attention  task.  What  you  have  to  change  is  the  nature  of  the  task,  in  others  words 
the  pre-condition  that  set  up  the  scenario  for  a  sustained  attention  task  (e.g.,  increase  the 
number  of  events,  limit  exposure  to  about  20  minutes  at  a  time,  provide  other  stimuli  to 
increase  activation  and  arousal  levels;  see  also  Wickens  and  Hollands,  1999,  p40-43). 

The  pre-conditions,  both  immediate  and  remote,  represent  ‘why’  the  active  failure  existed. 
These  are  the  things  that  have  to  change  to  prevent  a  recurrence  because  they  define,  either 
directly  or  indirectly,  the  condition  of  the  personnel,  the  task  and  the  working  environment. 
In  Annex  B,  immediate  and  remote  pre-conditions  are  more  tightly  linked  with  each  point  of 
active  failure.  Their  descriptions  are  tailored  to  reflect  the  context  of  each  type  of  active 
failure. 


FAILURE  TYPES 


FAILURE  TOKENS 


Figure  10.  Feedback  loops  and  indicators  for  the  management  of  system  safety  in  the  Canadian  Forces 
aviation  community  (after  Reason,  1990,  Figure  7.9). 


As  would  be  expected  from  PCT,  the  feedback  process  (Monitoring,  Supervision,  and 
Oversight)  figures  prominently  in  Table  1.  Improvements  in  feedforward  processes  should 
reduce  the  number  of  active  failures,  but  as  uncertainty  is  introduced  or  as  external 
disturbances  act  on  the  system  it  is  feedback  that  provides  error  correction.  Open  loop 
behaviour  only  works  when  everything  is  certain,  known  and  unchanging,  and  there  are  no 
external  influences  (this  would  be  true  of  a  closed  system).  Few  such  closed  systems  exist 
today  within  our  complex  socio-technological  environment. 
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FAILURES 


Table  1.  Linking  active  failures  with  pre-conditions. 


Sensory 


Knowledge  - 

perception 

Perception 


Attention 


Communicatio 

j] _ 

Time 

management 
Intent  - 

violation _ 

Intent  -  non 

violation _ 

Knowledge  - 

decision _ 

Response 


Action 

Selection 

Feedback 


Slips,  misses, 
lapses _ 
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Figure  1 1.  Active  failures  and  pre-conditions. 
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A  Bridge  Between  SERA  and  HFACS 


As  outlined  in  the  previous  Section  of  this  Report,  SERA  provides  an  accident  and  incident 
classification  system,  as  well  as  a  process  for  identifying  the  points  of  active  failure  and 
linking  them  with  the  pre-conditions  that  led  to  these  failures.  While  one  might  be  well 
satisfied  that  SERA  provides  a  comprehensive  and  exhaustive  HF  accident  taxonomy,  it  is 
essential  that  the  SERA  categories  can  also  be  mapped  into  similar  or  equivalent  categories 
within  the  modified  HFACS  classification  scheme  that  is  being  adopted  by  the  Canadian 
Forces  (CF)  Directorate  of  Flight  Safety  (DFS).  This  Section  deals  with  the  problem  of 
mapping  SERA  categories  into  the  CF’s  version  of  HFACS. 

The  Human  Factors  Analysis  and  Classification  System 

Whereas  SERA  is  based  on  theoretical  models  of  the  human  information  processor,  HFACS  is 
built  on  what  is  largely  a  descriptive  model.  Shappell  and  Wiegmann  (2000)  derived  their 
Taxonomy  of  Unsafe  Operations  by  analysing  over  300  naval  aviation  accidents  and  then 
refining  their  system  with  further  data  from  Air  Force,  Army  and  civilian  operations. 

Reason’s  Latent  Failure  Model  provided  the  basic  structure  for  their  system,  just  as  it  does  for 
SERA.  Shappell  and  Wiegmann  reject  the  use  of  “. .  .esoteric  theories  with  little  or  no 
practical  applicability”  (Shappell  and  Wiegmann,  2000,  p.  3)  in  favour  of  a  pragmatic 
empirical  approach.  Y et  empirical  models  carry  with  them  the  possibility  that  the 
classification  system  is  incomplete  because  it  is  constrained  by  the  contents  of  the  database  it 
came  from,  or  that  it  leads  to  redundancy  and  overlap  between  the  various  descriptors  in  the 
absence  of  an  overarching  theoretical  framework.  Evidence  of  this  can  be  seen  both  with 
HFACS  and  with  the  modified  version  of  HFACS  that  will  be  promulgated  in  an  updated 
version  of  the  guiding  document  for  CF  Flight  Safety  (Anon.,  1999).  In  Table  2,  the 
classification  categories  of  HFACS,  the  CF  modified  version  (to  be  referred  to  as  AGA  135 
HFACS),  and  SERA  are  compared. 


Table  2.  Comparison  of  HFACS,  AGA135  HFACS  and  SERA  accident  classification  taxonomies. 


HFACS 

AGA  135  HFACS 

SERA 

ACTIVE  FAILURES 

Errors 

Errors 

Active  Failures 

Decision  Errors 

Decision  Errors 

Action  Selection 

Skill-Based  Errors 

Technique 

Slips,  Misses,  Bungles 

Perceptual  Errors 

Perceptual  Errors 

Perception 

Attention/memory 

Attention 

Knowledge  or  Information 

Knowledge 
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Intent  (Non-violation) 

Time  Management 

Feedback 

Sensory  or  Response 

Communication 

Violations 

Violations 

Violations 

Exceptional 

Exceptional 

Intent  (Exceptional  violation) 

Routine 

Routine 

Intent  (Routine  violation) 

PRE-CONDITIONS 

Conditions  of  Operators 

Condition  of  Operators 

Condition  of  Operators 

Adverse  Mental  States 

Adverse  Mental  States 

Psychological 

Adverse  Physiological  States 

Adverse  Physiological  States 

Physiological 

Physical/Mental  Limitations 

Physical/Mental  Limitations 

Physical  Capability 

Practice  of  Operators 

Practices  of  Personnel 

Condition  of  Operators 

Crew  Resource  Mismanagement 

Interpersonnel  Res.  Management 

Social 

Personal  Readiness 

Personal  Readiness 

Personal  Readiness 

Training 

Training  and  Selection 

Qualification 

Qualification  and  Authorization 

Working  Conditions 

Working  Conditions 

Equipment 

Equipment 

Workspace 

Workspace 

Environmental 

Environment 

Condition  of  the  Task 

Time  Pressure 

Objectives 

SUPERVISION 

Inadequate  Supervision 

Inadequate  Supervision 

Monitoring  and  Feedback 

Planned  Inappropriate  Ops 

Planned  Inappropriate  Ops 

Forming  Intent 
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Failed  to  Correct  Problem 

Supervisory  Violations 

Failed  to  Correct  Problem 

Supervisory  Violations 

Communication  of  Intent 

ORGANIZATIONAL  INFLUENCES 

Resource  Management 

Resource  Management 

Provision  of  Resources 

Organizational  Climate 

Organizational  Climate 

Organizational  Climate 

Organizational  Process 

Organizational  Process 

Organizational  Process 

Mission 

Rules  and  Regulations 

Oversight 

Interestingly  there  is  no  provision  in  HFACS,  corrected  under  both  AGA  135  HFACS  and 
SERA,  to  trace  the  effect  of  deficiencies  in  the  Working  Conditions  (Equipment,  Workspace, 
and  Environment)  as  pre-conditions  to  active  failures.  Selection,  Training,  Qualification  and 
Authorization  is  buried  in  the  higher  level  layers  (Supervision  and  Organizational  Influences) 
in  HFACS.  Only  SERA  considers  the  Rules  and  Regulations  as  potential  pre-conditions  to 
the  unsafe  act  (not  all  Rules  and  Regulations  are  internally  consistent  and  compatible  with 
mission  goals  leading  to  systemic  violations). 


Transforming  SERA  categories  into  AGA  135  HFACS 

Several  SERA  categories  are  not  represented  explicitly  in  either  HFACS  or  AGA  135  HFACS 
although  the  category  definitions,  and  some  of  the  selected  examples  associated  with  these 
categories,  might  be  interpreted  to  include  at  least  some  of  the  missing  classifications  (see 
Anon.,  1999;  Shappell  and  Wiegmann,  2000).  It  is  really  only  when  one  tries  to  map  each  of 
the  SERA  categories  into  equivalent  or  similar  AGA  135  HFACS  categories  that  the  overall 
picture  becomes  clear. 

In  Table  3,  the  SERA  active  failure  categories  are  linked  to  the  most  likely  AGA  135  HFACS 
categories.  This  was  accomplished  by  reading  each  category  descriptor,  then  examining  the 
specific  examples  given  for  each  type  of  failure,  in  order  to  find  the  best  match.  Obviously, 
there  is  a  degree  of  subjectivity  in  this  process  but  no  more  so  than  when  investigators  are 
attempting  to  assign  cause  factors  from  the  same  data  source.  However,  it  is  believed  that  the 
selections  in  the  following  Tables  are  defensible. 

Ideally  each  SERA  category  would  map  into  one,  and  only  one,  AGA  135  HFACS  category 
(this  can’t  actually  happen  as  there  are  12  SERA  basic  active  failure  sub-categories  and  only  7 
AGA  135  HFACS  categories).  If  that  was  the  case,  then  SERA  and  AGA  135  HFACS  would 
be  seen  to  be  largely  identical  schemes,  distinguished  only  by  the  names  given  to  the 
categories.  From  Table  3  it  can  be  seen  that  this  is  not  strictly  the  case.  In  several  situations  a 
SERA  category  maps  into  more  than  one  AGA  135  HFACS  category  (e.g.,  SENSORY  failure), 
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and  there  are  also  cases  where  more  than  one  SERA  category  maps  onto  the  same  AGA  135 
HFACS  category  (e.g.,  DECISION  errors). 


Table  3.  Mapping  of  SERA  active  failures  into  best-fit  AGA  135  HFACS  categories. 


SERA 

AGA  135  HFACS 

ACTIVE 

FAILURE 

ACTIVE 

FAILURE 

PRE  - 

CONDITIONS 

SUPERVISION 

ORGANIZATION 

Sensory 

Physical  -  mental 
limitations 

Personal  readiness 

Response 

Physical  -  mental 
limitations 

Communication 

Knowledge  - 
information 

Perception 

Perceptual 

Intent  -  Routine 
violation 

Violation  -  routine 

Supervisory 

violations 

Intent  -  Exceptional 
violation 

Violation  - 
exceptional 

Supervisory 

violations 

Intent  -  non  violation 

Decision 

Attention 

Attention  -  memory 

Time  management 

Adverse  mental 
state 

Knowledge  - 
perception 

Knowledge  - 
information 

Knowledge  - 
decision 

Knowledge  - 
information 

Feedback 

Attention  -  memory 

Adverse  mental 
state 

Action  selection 

Decision 

Technique 

Slips,  lapses  and 
mode  errors 

Technique 

Attention  -  memory 

As  the  SERA  taxonomy  arguably  consists  of  non-overlapping  categories,  this  is  evidence  of 
some  ambiguity  in  the  AGA  135  EIFACS  category  descriptions.  In  practice  this  ambiguity 
would  have  to  be  resolved  by  looking  at  the  context  of  the  unsafe  act  to  see  which  AGA  135 
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HFACS  categories  are  the  best  match.  Note  also  that  while  most  SERA  active  failures  map 
into  AGA  135  HFACS  active  failures,  there  is  some  drift  up  into  the  HFACS  Pre-Condition 
and  Supervisory  layers.  Tables  4  to  6  repeat  this  process  for  the  SERA  Pre-Condition, 
Command,  Control  and  Supervisory,  and  Organizational  layers. 


Table  4.  Mapping  of  SERA  Pre-Conditions  into  best-fit  AGA  135  HFACS  categories. 


SERA 

AGA  135  HFACS 

PRE  - 

CONDITIONS 

ACTIVE 

FAILURE 

PRE  - 

CONDITIONS 

SUPERVISION 

ORGANIZATION 

Physiological 

Adverse 

physiological  states 

Psychological 

Adverse  mental 
states 

Social 

Interpersonnel 

resource 

management 

Physical  capability 

Physical  -  mental 
limitation 

Personal  readiness 

Personal  readiness 

Training  and 
selection 

Training 

Physical  -  mental 
limitation 

Qualification  and 
Authorization 

Qualification 

Time  Pressure 

Organizational 

process 

Objectives 

Planned 

inappropriate 

operations 

Equipment  (Tools  of 
the  trade) 

Equipment 

Workspace 

Workspace 

Environment 

Environment 

As  with  Table  3,  there  is  evidence  of  category  drift  and  ambiguity  in  the  AGA  135  taxonomy 
shown  in  Tables  4  to  6.  While  the  mappings  of  Tables  3  to  6  are  not  one-to-one  there  is 
sufficient  commonality  to  make  the  process  manageable.  One  SERA  category,  RULES  AND 
REGULATIONS,  has  no  equivalent  in  AGA  135  HFACS. 
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Table  5.  Mapping  of  SERA  Command ,  Control  and  Supervisory  failures  into  best-fit  AGA  135  HFACS 

categories. 


SERA 

AGA  135  HFACS 

SUPERVISION 

ACTIVE 

FAILURE 

PRE  - 

CONDITIONS 

SUPERVISION 

ORGANIZATION 

Forming  intent 

Planned 

inappropriate 

operations 

Supervisory 

violations 

Communication  of 
intent 

Inadequate 

supervision 

Monitoring  and 
supervision 

Inadequate 

supervision 

Failed  to  correct  a 
problem 

Table  6.  Mapping  of  SERA  Organizational  Influences  into  best-fit  AGA  135  HFACS  categories. 


SERA 

AGA  135  HFACS 

ORGANIZATION 

ACTIVE 

FAILURE 

PRE  - 

CONDITIONS 

SUPERVISION 

ORGANIZATION 

Organizational 

climate 

Organizational 

climate 

Provision  of 

resources 

Resource 

management 

Organizational 
process  and 
practices 

Organizational 

process 

Mission 

Planned 

inappropriate 

operations 

Organizational 

process 

Resource 

management 

Rules  and 

Regulations 

Oversight 

Organizational 

process 
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Risk  Management 


The  pre-conditions  (both  immediate  and  remote)  shown  in  Figure  11,  under  the  banner  “The 
Why”,  are  the  factors  that  must  change  in  order  to  break  the  causal  chain  that  leads  to  the 
existence  of  an  unsafe  act  or  condition.  Flence,  control  of  these  factors  is  the  key  to  risk 
management,  thus  making  a  natural  linkage  between  an  error  taxonomy  and  a  potential  risk 
management  tool.  These  factors  fall  easily  into  two  classes  that  are  seen  to  provide  risk 
management  at  both: 

•  the  Tactical  (immediate)  level,  and 

•  the  Strategic  (remote)  level. 

Tactical  risk  management 

Tactical  risk  management  involves  the  control  of  those  factors  that  are  closest  to  a  potential 
unsafe  act  or  condition.  Flence,  tactical  risk  assessment  should  be  based  on  the  states  of  the 
following  factors: 

Condition  of  the  Personnel 

Physiological, 

Psychological, 

Social, 

Physical  capability, 

Personal  readiness, 

Training  and  selection, 

Qualification  and  authorization. 

Condition  of  the  task 
Time  Pressure, 

Objectives. 

Working  conditions 

Equipment, 

Workspace, 

Environment. 

A  detailed  tactical  risk  assessment  tool  should  be  based  on  the  assessment  of  all  twelve  of 
these  factors,  while  a  simple  tool  might  use  just  the  three  higher-level  factors  (i.e., 

Condition  of  the  Personnel,  Condition  of  the  Task,  and  the  Working 


DRDC  Toronto  TR  2002-057 


33 


Conditions).  One  of  these  factors  (Qualification  and  Authorization)  should  be 
purely  a  GO,  NO-GO  criterion.  Unqualified  and  un-authorised  personnel  should  not  be  used 
in  operations  unless  it  is  in  exceptional  circumstances.  Qualification  and  Authorization  is 
likely  more  a  legal  issue  than  a  risk  assessment  issue.  The  operational  impact  of  using 
unqualified  and  un-authorised  personnel  will  generally  be  reflected  in  the  state  of  the  other 
personnel  factors  (level  of  training,  physical  capability  for  the  task  etc.). 


Figures  12  and  13  demonstrate  what  a  simple  risk  assessment  checklist,  derived  from  the 
SERA  categories,  might  look  like.  It  should  be  noted  that  these  examples  have  in  no  way 
been  validated  -  they  are  for  demonstration  purposes  only.  In  all  of  the  following  examples 
the  mathematical  forms  are  notional  and  offered  only  as  straw  men  to  demonstrate  how  a  risk 
assessment  tool  might  be  constructed. 

Condition 


Not  Degraded 


Slightly 

Degraded 

Significantly 

Degraded 


Low  (L)  =  0  risk  points 
Medium  (M)  =  5  risk  points 


High  (H)  =  10  risk  points 


Condition 

Risk 

Action 

L+L+L 

0 

GO 

L+L+M 

1.7 

L+L+H 

3.3 

GO  -  Caution 

L+M+M 

3.3 

L+M+H 

5 

NSA  -  Risk  mitigation 

M+M+M 

5 

L+H+H 

6.7 

NSA  -  Inadvisable 

M+M+H 

6.7 

M+H+H 

8.3 

H+H+H 

10 

. 

Note 

:  NSA  - 

■  No  self  authorization 

Overall  Risk 


6.7 


Figure  12.  A  tactical  risk  assessment  tool  based  on  three  SERA  factors. 


In  the  first  example  a  simple  linear  model  was  used  to  assign  a  numerical  value  to  the  level  of 
risk  associated  with  various  degraded  states.  This  was  based  on  an  assignment  of  0  risk  points 
if  a  condition  is  not  degraded,  5  if  slightly  degraded,  and  1 0  if  significantly  degraded.  The 
results  for  the  three  factors,  in  Figure  12,  were  then  rolled  up  by  the  following  equation  to 
give  an  overall  risk  figure  (0  <  Risk  <  10). 


Risk  = 


( P+T  +  W ) 
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where:  P  =  Personnel,  T=  Task  and  W  =  Working  Conditions.  At  5  overall  risk  points,  a 
higher  level  of  supervisory  oversight  and  risk  mitigation  might  be  called  for  (see  Figure  12). 
At  7  overall  risk  points,  operations  should  cease  unless  operational  considerations  make  it 
essential.  Again  these  recommended  actions,  and  the  levels  at  which  they  are  to  be  applied, 
are  notional  and  are  for  demonstration  only.  Obviously  a  tool  such  as  this  must  be  validated. 

A  more  detailed  tool,  using  all  eleven  immediate  pre-conditions,  is  shown  in  Figure  13.  Note 
that  Qualification  and  Authorization  is  again  considered  to  be  a  GO,  NO-GO  criterion.  A 
linear  model  of  0,  5,  and  10  risk  points  is  used  for  three  levels  of  degradation  (none,  slight, 
significant).  An  overall  level  of  risk  is  calculated  by  the  following  equation: 

1 . 4  ( Max(P )  +  Mean  (P))  +  0. 8  (Max  ( T )  +  Mean  ( T )  +  Max{W)  +  Mean  (W)) 

Risk  = - - - , 

6 

where:  P  =  Personnel,  T=  Task  and  W=  Working  Conditions. 


Condition 


Low  (L)  =  0  risk  points 
Medium  (M)  =  5  risk  points 


High  (H)  =  10  risk  points 


Not 
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Slightly 

Degraded 

Significantly 

Degraded 


Risk  Action 

0 
1 
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10 

Note:  NSA  -  No  self  authorization 


GO 


GO  -  CAUTION 


No  Self  authorization 
NSA  -  Risk  mitigation 
NSA  -  Inadvisable 


Risks 

7.08 

3.75 

8.33 

Overall  Risk 

6.5 

Figure  13.  A  tactical  risk  assessment  tool  based  on  eleven  SERA  factors. 
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This  equation  gives  more  weight  (1.4  versus  0.8)  to  the  personnel  factor  than  to  the  task  and 
the  working  conditions.  The  use  of  the  maximum  risk  value,  as  well  as  the  mean,  gives 
emphasis  to  a  single  high-risk  factor  whereas  taking  the  mean  alone  averages  out  the 
contribution  of  a  single  large  value  (particularly  as  the  number  of  items  increases).  Again  it 
should  be  noted  that  these  calculations  are  notional  and  are  for  demonstration  purposes  only. 

Strategies  for  managing  risk 

Aviation  and  particularly  military  aviation  is  never  risk  free.  There  is  always  a  place  for 
managing  and  mitigating  the  risk  of  operations.  But  when  the  risk  factors  start  to  accumulate 
(say  at  risk  values  of  4  and  higher  in  Figures  12  and  13) ,  risk  mitigation  becomes  essential. 

From  the  IP/PCT  model  the  lines  of  defence  from  which  a  risk  mitigation  process  can  be 
implemented  are: 

•  Goal  setting:  the  first  line  of  defence  in  risk  management. 

•  If  there  are  choices,  choose  the  more  conservative  option. 

•  Make  sure  that  everyone  in  the  team  understands  and  agrees  on  the  goals. 

•  Action  selection:  the  second  last  line  of  defence  in  risk  management. 

•  Reduce  information  processing  load  by  reducing  uncertainty. 

•  Use  SOPs,  avoid  shortcuts  or  using  unrehearsed  or  unfamiliar  plans  of  action. 

•  Pre-plan  actions  (including  fall  back  plans)  and  take  control  of  the  timeline. 

•  Plan  in  depth  based  on  an  [A]wareness  of  the  situation,  the  [IJmplications  of  the 
situation,  and  make  a  [P]lan  to  achieve  the  goal. 

•  Keep  the  ‘back  door  open’  in  case  the  situation  degrades  further.  This  plan  may 
have  to  be  refreshed  as  the  situation  changes. 

•  Feedback:  the  last  line  of  defence  in  risk  management. 

•  Increase  the  level  of  supervision,  monitoring  and  crosschecking.  Monitor 
yourself  and  crosscheck  others.  Ask  of  yourself  and  others  “. .  .what  are  we  trying 
to  achieve,  what  do  we  think  is  happening,  what’s  the  plan?” 

•  Constantly  maintain  feedback  and  monitor  progress  towards  the  goals. 

•  Ensure  that  all  critical  variables  are  being  controlled  (attended  to). 

•  Act  (set  new  goals,  modify  the  plan  of  action)  if  diverging  from  the  goals. 
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Strategic  risk  management 

Strategic  risk  management  starts  with  an  assessment  of  the  six  organizational  level  factors 
from  Figure  7.  These  are: 

•  Mission 

•  Provision  of  Resources 

•  Rules  and  Regulations 

•  Organizational  Process  and  Practices 

•  Organizational  Process 

•  Oversight. 

Figure  14  is  an  example  of  a  simple  tool  to  assess  the  risk  at  the  organizational  level  based  on 
these  six  SERA  factors. 


Condition 


Low  (L)  =  0  risk  points 
Medium  (M)  =  5  risk  points 


High  (H)  =  10  risk  points 


Not 
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Significantly 

Degraded 


Risk  Status 
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5 

6 
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Healthy 

— 

Sickening 

Unhealthy 

Critically  ill 

Overall  Risk 


6.7 


Figure  14.  A  strategic  risk  assessment  tool  for  assessing  the  health  of  an  organization  based  on  six  SERA 

factors. 
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Overall  risk  is  again  calculated,  for  the  purposes  of  demonstration,  using  both  the  maximum 
value  of  risk  and  the  average  of  all  risk  values  as  follows: 

1  \ 

max{^,/2,...,/6}+-X/i  > 

;=i  _ 

where:  /,  is  the  score  for  the  /th  risk  factor. 

In  each  of  these  examples  linear  or  variations  on  linear  models  have  been  used.  Other  models 
with  more  direct  application  to  human  decision-making  might  be  considered  such  as  Baconian 
logic  models  or  fuzzy  models  (e.g.,  see  Cohen,  1977;  McNeill  and  Freiberger,  1993). 


Validation 

The  tools  presented  in  Figures  12  to  14  are  not  intended  for  immediate  implementation  but  are 
offered  as  a  demonstration  of  concepts.  The  mathematical  formulations  used  are  purely 
notional  and  have  solid  basis  in  theory.  Tools  such  as  these  would  need  to  be  validated  before 
bringing  them  into  operational  use.  A  starting  point  for  the  validation  process  would  be  to 
apply  these  tools  to  routine  operations  for  a  period  of  time  and  also  to  a  set  of  accident  and 
incident  reports. 

The  expectation  would  be  that  routine  operations  would  score  almost  exclusively  in  the  green 
or  GO  region  of  the  risk  scale,  unless  the  organisation  is  in  a  state  of  crises.  The  pre¬ 
conditions  to  many  incidents  and  accidents  would  be  expected  to  register  in  the  yellow 
(Caution)  or  red  (NO-GO)  zones.  Note  that  the  concept  for  these  tools  is  that  they  would  be 
applied  a  priori,  that  is,  prior  to  the  mission.  Therefore  they  will  not  capture  factors  that 
changed  during  the  mission,  for  example,  deteriorating  weather,  increasing  time  pressure,  or 
non-anticipated  physiological  and  psychological  degradation  due  to  fatigue.  Nor  will  they 
capture  factors  that  lie  dormant  and  do  not  emerge  until  the  accident  or  incident  investigation. 
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A  Software  Application  for  Implementing  SERA 


A  software  application  has  been  designed  as  an  aid  to  applying  SERA.  This  Java™ 
application  implements  the  process  described  in  Annex  B  to  this  Report.  The  application 
currently  has  been  implemented  on  the  Macintosh  platform  but  the  use  of  Java™  as  the 
programming  language  makes  its  porting  to  other  platforms  a  straight  forward  process.  The 
application,  as  it  currently  exists,  was  developed  as  a  proof-of-concept  demonstration  of  how 
the  SERA  process  could  be  aided.  There  is  considerable  scope  for  further  improvement  of  the 
tool. 

The  SERA  application  presents  a  series  of  screens  that  leads  the  analyst  one  step  at  a  time 
through  the  process  outlined  in  Annex  B.  A  graphical  aid  to  navigation  shows  where  one  is  in 
this  activity  at  all  times,  and  can  be  used  to  return  to  any  step  with  a  double  click  on  any  of  the 
boxes  visited  previously.  Figure  1 5  shows  a  typical  SERA  data  entry  screen  with  the 
navigation  aid  alongside. 

The  analysis  starts  with  the  identification  of  an  unsafe  act.  Currently  SERA  vl.O  deals  with 
one  unsafe  act  at  a  time.  A  useful  modification  of  the  SERA  software  would  provide  an 
ability  to  identify  and  analyse  multiple  unsafe  acts  within  a  single  SERA  file.  One  can  of 
course  generate  a  series  of  files  with  the  current  version  of  SERA  to  cover  multiple  unsafe 
acts,  but  this  complicates  record  keeping. 

Once  a  point  of  failure  has  been  identified  the  analyst  is  asked  to  choose  the  SERA 
preconditions  that  were  associated  with  this  failure.  The  most  likely  pre-conditions  are 
presented  first,  followed  by  a  listing  of  all  remaining  SERA  factors.  An  additional  screen 
allows  one  to  detail  factors  that  are  outside  the  SERA  taxonomy.  All  screens  contain  a  field 
for  extensive  comments  and  supporting  material.  A  rigorous  tracking  of  missed  steps, 
unanswered  questions,  and  internal  consistency  reduces  the  chance  that  the  analysis  will  be 
incomplete  or  the  process  inappropriately  applied.  SERA  automatically  links  the  SERA 
failures  and  pre-conditions  with  the  closest  AGA  135  E1FACS  categories  as  outlined 
previously  in  this  report.  In  future  versions  of  the  SERA  application  the  analyst  will  be  able 
to  overturn  the  automatic  selections  if  so  inclined. 

Once  all  failures  and  pre-conditions  have  been  identified,  SERA  consolidates  all  the  data, 
including  comments  and  supporting  material,  into  a  text  file  that  constitutes  a  first  cut  at  the 
final  report. 

An  Example  of  using  the  SERA  Application 

To  test  the  functioning  of  the  software,  SERA  was  applied  to  an  accident  from  the  National 
Transportation  Safety  Board  (NTSB)  aviation  accident  database4.  The  results  of  that  analysis 


4  See  http://www.ntsb.gov/NTSB/query.asp  for  access  to  this  facility. 
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are  shown  in  Annex  C  to  this  Report.  The  accident  involved  a  case  of  fuel  exhaustion  that 
occurred  soon  after  take  off  on  a  local  VFR  flight. 

Potentially  there  are  several  unsafe  acts  that  might  be  analysed  in  this  example.  The  first,  and 
most  obvious,  is  the  act  of  initiating  a  flight  with  less  than  the  required  amount  of  fuel  on 
board.  This  is  the  unsafe  act  that  was  subjected  to  the  full  SERA  analysis  shown  in  Annex  C. 

At  least  two  additional  unsafe  acts  occurred  that  could  also  be  analysed  with  SERA.  The  first 
relates  to  emergency  procedures  following  a  partial  loss  of  engine  power.  In  addition  to  the 
use  of  the  auxiliary  fuel  pump,  a  normal  emergency  procedure  would  dictate  changing  tanks. 
From  the  accident  report  it  appears  that  the  right  tank  contained  more  fuel  than  the  left  (which 
was  found  to  be  empty  in  a  post  accident  inspection).  Due  to  the  low  altitude  of  the  aircraft 
(400-500ft  AGL)  time  pressure  would  have  been  a  factor  in  successfully  actioning  a  complete 
emergency  check  list  while  manoeuvring  the  aircraft  for  a  potential  off-airport  landing.  It  was 
assumed  that  the  engine  was  drawing  from  the  left  tank  when  the  first  loss  of  engine  power 
occurred.  Here  the  active  failure  is  likely  to  be  found  in  ACTION  selection  and 
implementation.  This  might  lead  to  the  identification  of  an  underlying  lack  of  knowledge 
unless  the  pilot  can  recite  a  full  engine  failure  check  list,  or  to  a  memory  retrieval  failure  if  the 
check  list  was  known  but  was  not  fully  implemented  in  this  situation. 

Another  unsafe  act  that  could  be  analysed  is  the  decision  to  turn  back  to  the  airfield  while 
only  400-500ft  AGL.  A  180  degree  turn  at  this  altitude  and  with  no  engine  power  is  unlikely 
to  be  successful.  Using  SERA  a  series  of  questions  might  have  been  asked  by  the  investigator 
to  see  if  the  pilot  understood  the  perils  of  a  180  degree  turn  at  low  altitude  (raising  a  possible 
question  as  to  whether  this  material  is  being  taught  in  flight  school)  and  whether  this  decision 
was  guided  by  a  perception  that  enough  engine  power  was  being  developed  to  make  the 
manoeuvre  possible.  As  it  turned  out  the  occupants  were  somewhat  lucky  to  have  escaped 
with  minor  injuries. 

Annex  C  contains  a  slightly  edited  version  of  the  text  file  produced  by  SERA.  Pre-conditions 
that  were  considered  not  to  be  active  in  this  accident  were  removed  from  the  file  and  slight  re¬ 
ordering  of  the  material  allowed  common  data  to  be  grouped  together.  Otherwise  Annex  C  is 
a  faithful  representation  of  report  generation  capability  of  SERA  vl  .0.  Future  enhancements 
to  SERA  will  address  issues  related  to  the  ordering  and  presentation  of  material  in  the  report, 
and  will  likely  mirror  the  format  of  Annex  C. 

The  NTSB  attributed  this  accident  to  “. .  .the  pilot's  improper  preflight  and  failure  to  refuel  the 
airplane.”  This  does  not  address  the  issue  of  why  an  experienced  pilot  (holding  an  ATP  and 
maintenance  technician  qualifications)  did  not  know  what  the  actual  fuel  state  was,  despite  a 
visual  check  of  the  tanks  and  first  hand  knowledge  of  the  recent  flight  history  of  the  aircraft. 
No  remedial  action  flows  from  the  NTSB  diagnosis. 

On  the  other  hand  SERA  identified  two  active  failures  and  two  pre-conditions  from  the  first 
unsafe  act,  as  follows: 

Active  Failures 

PERCEPTUAL  FAILURE:  An  incorrect  perception  was  formed  because  conflicting 
and  ambiguous  information  was  not  resolved. 
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EXCEPTIONAL  VIOLATION :  The  pilot  unknowingly  broke  rules  related  to  the 
amount  of  usable  fuel  required  for  the  flight. 
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Figure  15.  A  typical  screen  in  the  SERA  Java™  application. 
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Figure  16.  Active  failures  and  pre-conditions  arising  from  a  SERA  analysis  of  an  incident  report  from  the  NTSB  data  base  (NTSB  Identification:  LAX01LA065). 
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Pre-Conditions 


EQUIPMENT:  Gauging  tank  contents  by  a  visual  inspection  is  unreliable  unless  a 
calibrated  dip  stick  is  used.  The  aircraft  fuel  gauges  were  poorly  calibrated  and  gave 
a  very  optimistic  picture  regarding  fuel  on  board. 

INFORMATION  PROCESSING  BIASES:  The  information  was  attended  to 
selectively,  or  was  ignored.  Conflicting  information  was  not  integrated  and  the 
discrepancy  resolved. 

One  pre-condition  identifies  a  problem  with  the  accuracy  of  fuel  gauges  in  this  aircraft  or  type 
of  aircraft  and  the  other  leads  to  a  potential  need  to  have  pilots  routinely  verify  fuel  contents 
by  at  least  two  independent  routes. 

This  level  of  analysis  provides  useful  data  for  tracking  trends  and  for  designing  interventions 
to  deal  with  emergent  human  factors  issues.  The  factors  identified  by  SERA  in  this  accident, 
and  the  potential  interventions,  are  different  to  those  that  might  be  found  in  a  situation  where 
a  pilot  didn’t  bother  to  check  the  fuel  state  prior  to  departure,  knew  exactly  how  many  gallons 
were  on  board  but  had  no  notion  of  the  fuel  bum  per  hour,  or  deliberately  undertook  a  flight 
with  no  reserve.  The  NTSB  conclusions,  on  the  other  hand,  may  not  change,  as  they  are 
neutral  with  respect  to  the  underlying  human  factors  reasons  behind  the  decisions  that  were 
made. 


Testing  the  Reliability  of  SERA 

It  is  planned  to  establish  the  reliability  of  the  SERA  process  using  the  Java™  application  to 
guide  the  analysis.  20  cases  have  been  drawn  from  the  NTSB  database  from  calendar  year 
2001.  The  criterion  for  selection  were: 

•  Final  reports  were  used  so  that  the  facts  of  the  case  had  been  checked  and  a  full 
narrative  was  available.  This  also  meant  that  the  NTSB’s  most  probable  cause  had 
been  assigned  and  this  outcome  can  be  compared  with  the  SERA  analysis. 

•  Only  cases  that  appeared  to  involve  human  factors  issues  were  considered.  Straight 
equipment  failures  were  rejected. 

•  Only  cases  with  a  sufficiently  detailed  narrative  were  selected.  This  meant  that  in  all 
cases  a  crewmember  or  passenger  survived  the  accident.  Only  two  out  of  the  20  cases 
involved  a  fatality. 

In  each  case  a  point  of  departure  from  safe  operation  has  been  identified  and  an  unsafe  act  or 
condition  described.  This  step  is  common  to  all  accident  investigation  processes  and  is  not 
specific  to  SERA.  Hence,  any  variability  due  to  the  identification  of  the  unsafe  act  should  not 
be  lumped  in  with  an  assessment  of  the  SERA  process  proper. 

It  is  intended  to  have  a  group  of  investigators  apply  SERA,  by  way  of  the  Java™  application, 
to  the  set  of  NTSB  accidents  so  that  inter-rater  reliability  can  be  established.  A  measure  of 
inter-rater  reliability  should  look  for  cases  of  agreement  and  disagreement  amongst  analysts. 
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In  the  current  context,  agreement  between  two  analysts  is  signalled  by  the  inclusion  of  the 
same  failure  category  for  the  same  case,  or  alternatively  by  the  common  omission  of  a 
category. 
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Discussion 


The  primary  objective  of  this  work  was  to  develop  a  tool  for  investigating  the  human  factors 
issues  of  accidents  and  incidents  using  the  strong  theoretical  position  afforded  by  the  IP/PCT 
model  (Hendy,  et  al.,  2001b).  Additional  objectives  were  to  link  the  outcome  of  the  resulting 
tool  (designated  SERA)  with  an  established  taxonomy  for  accident  investigation,  namely,  a 
version  of  the  Human  Factors  Accident  Classification  System  or  HFACS  (Shappell  and 
Wiegmann,  2000).  A  final  goal  was  to  extend  SERA  as  a  prototype  risk  management  tool. 

All  these  objectives  have  been  met. 

SERA  is  a  tool  for  accident  and  incident  investigation,  but  it  also  provides  a  comprehensive 
stand-alone  taxonomy  of  human  ‘error’.  A  comparison  of  SERA  with  HFACS  and  the  AGA 
135  version  of  HFACS  leads  to  the  following  comparisons: 

•  SERA  provides  a  more  comprehensive  taxonomy  of  active  failures  than  either 
HFACS  or  AGA  135  HFACS  (12  versus  3  versus  5  categories). 

•  SERA  provides  a  more  comprehensive  taxonomy  of  immediate  pre-conditions  than 
either  HFACS  or  AGA  135  HFACS  (12  versus  5  versus  10  categories). 

•  SERA  provides  a  more  comprehensive  taxonomy  of  organizational  influences  than 
either  HFACS  or  AGA  135  HFACS  (6  versus  3  versus  3  categories). 

As  an  investigative  tool  SERA  can  interface  with  other  classification  systems  such  as  HFACS, 
essentially  serving  as  a  front-end  for  data  entry  into  HFACS.  The  decision  ladders  of  SERA, 
shown  in  Figure  5  of  this  Report,  guide  the  investigative  process  (including  the  interview 
process)  to  the  active  points  of  failure  through  a  series  of  common  sense  questions.  For 
example: 


. .  what  did  the  operator  believe  was  happening?” 

“. . . was  it  a  correct  or  adequate  assessment ?” 

“. .  .did  the  operator  have  the  capability  to  sense  and  perceive  the  situation?” 

. .  was  the  time  pressure  excessive ?” 

The  response  to  most  of  these  questions  is  simply  YES  or  NO.  While  the  requirements  of 
human  factors  investigations  are  rarely  trivial,  this  structured  plain  language  process  greatly 
eases  the  need  for  the  investigator  to  have  extensive  human  factors  training  or  knowledge. 

The  answers  to  the  questions  embedded  in  Figure  5  hold  the  key  to  understanding  what  went 
wrong.  Annex  B  attempts  to  put  this  process  into  words,  but  while  each  step  is  relatively 
simple,  the  total  amount  of  material  contained  in  Annex  B  is  somewhat  daunting.  It  is 
expected  that  one  might  refer  to  the  text  of  Annex  B  only  in  the  first  few  applications  of 
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SERA.  Thereafter,  the  decision  ladders  of  Figure  5  may  provide  sufficient  guidance  to 
implement  the  process  once  one  is  familiar  with  the  basic  concepts. 

SERA  could  be  made  less  complex  if  the  material  of  Annex  B  was  shown  only  in  the  context 
of  the  investigator’s  current  place  in  the  overall  process.  SERA  could  be  easily  programmed 
into  a  decision-aiding  tool  that  would  run  on  a  Personal  Digital  Assistant  (PDA)  or  laptop 
computer.  This  might  either  be  stand-alone  or  made  available  in  a  web-based  application. 
Now  the  content  of  Annex  B  would  appear  one  screen  at  a  time,  to  support  the  investigator  in 
negotiating  the  current  step  in  the  decision  process.  Additional  material  could  be  displayed  to 
the  novice,  or  if  specifically  requested  by  the  user  (e.g.,  What  is  meant  by. . .  [Capability,  Time 
Pressure  etc.]?).  The  investigator  could  insert  descriptive  material  at  each  step  to  justify  every 
YES-NO  decision.  Once  the  process  is  completed,  the  inserted  text  could  be  collected  and 
automatically  assembled  into  a  first  cut  at  the  draft  report.  The  database  built  during  the 
analysis  might  be  archived  and  embedded  as  an  object  within  the  HFACS  database  structure 
thus  retaining  the  contents  of  the  SERA  analysis.  A  limited  capability  proof-of-concept 
application,  with  these  properties,  is  demonstrated  and  described  briefly  in  this  report. 

Familiarity  with  the  underlying  concepts  behind  SERA  makes  the  process  more  palatable. 
Indeed  SERA  would  be  a  natural  way  to  lead  an  investigation  for  those  schooled  in  the 
IP/PCT  model.  Some  potential  changes  in  CF  human  factors  training  may  make  SERA  a 
logical  tool  for  the  future.  The  CF  Central  Flying  School  is  in  the  process  of  revising  their 
human  factors  training  for  all  aviation  trades  (pilots,  navigators,  weapons  systems  operators, 
flight  engineers  and  Air  Traffic  Controllers).  It  is  likely  that  the  Human  Factors  in  Decision 
Making  (HFDM)  courseware,  developed  by  DRDC  -  Toronto  (formerly  DCIEM)  for  the 
University  of  Toronto’s  Professional  Pilot  and  Aviation  Management  Post  Graduate  Diploma, 
will  be  influential  in  determining  the  syllabus.  HFDM  came  out  of  work,  conducted  between 
1994  and  1998,  for  the  CF’s  CC-130  Hercules  community  (Hendy  and  Ho,  1998).  Although 
the  recommendations  made  at  that  time  were  not  fully  implemented  by  the  CF,  some  IP/PCT 
concepts  have  found  their  way  into  various  Directorate  of  Flight  Safety  programmes,  and 
crew  resource  management  (CRM)  courses  at  the  Unit  level.  In  the  future  there  is  an 
expectation  that  HFDM  will  be  widely  taught  within  the  aviation  side  of  the  CF.  HFDM  is 
formally  and  rigorously  based  on  IP/PCT  and  therefore  is  entirely  consistent  with  SERA. 

Now  there  is  the  potential  that  material  taught  in  the  classroom  and  re-enforced  in  operational 
training,  also  forms  the  basis  for  both  operational  risk  management  and  accident  and  incident 
investigation. 

The  origin  of  HFACS  can  be  found  in  Shappell  and  Wiegmann's  (1997)  Taxonomy  of  Unsafe 
Operations.  Yet  the  migration  path  from  the  1997  taxonomy  to  HFACS  is  not  clear  and  if 
anything  moves  HFACS  away  from  what  theoretical  structure  was  imposed  in  the  original 
taxonomy.  For  example,  the  link  with  Rasmussen’s  goal  directed  ‘Intended-Unintended’ 
model  of  unsafe  acts  (Reason,  1990,  p.207)  has  been  lost  in  HFACS.  HFACS  is  quite 
different  in  detail  to  the  original  taxonomy  although  the  hierarchical  structure  from  Reason’s 
work  is  still  evident  and  indeed  has  been  expanded  to  include  organisational  factors.  AGA 
135  HFACS  introduces  even  more  drift.  Interestingly  SERA  combines  features  from  all  three 
theoretical  models  that  Wiegmann  and  Shappell  (1997)  consider  as  candidates  for  the  human 
factors  analysis  of  post  accident  data,  while  also  addressing  the  need  to  take  Reason’s  latent 
factors  into  account.  Even  here,  PCT  provides  a  framework  for  teasing  out  the  factors 
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associated  with  the  Command,  Control,  Supervisory,  and  Organisational  aspects  and,  through 
HGA,  establishes  the  hierarchical  structure  that  is  at  the  heart  of  Reason’s  model. 

While  the  issue  of  predictive  validation  remains  for  both  SERA  and  the  risk  management 
tools  presented  in  this  report,  the  theoretical  model  on  which  it  is  based  has  been  partially 
validated  (I  Icndy,  et  al.,  2001b).  Establishing  the  predictive  validity  of  SERA,  or  indeed 
EIFACS,  is  extremely  difficult  because  there  is  no  ground  truth  to  compare  the  prediction 
against.  The  ‘true’  causes  of  any  accident  or  incident  can  rarely  be  or,  in  many  circumstances, 
can  never  be  established.  At  the  very  least  the  results  need  to  make  sense  (face  and  construct 
validity).  We  have  come  a  long  way  from  classifying  all  human  factors  issues  as  ‘pilot  error’ 
or  ‘channelised  attention’  but  most  likely  we  have  a  way  to  go  yet  before  we  can  claim  that 
we  have  a  system  that  “. .  .en-compasses  all  aspects  of  human  error. . .”  (Shappell  and 
Wiegmann,  2000,  p. 13). ..and  really  mean  ‘all’  rather  than  ‘most’.  EIFACS  and  SERA  are 
steps  in  the  right  direction. 
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Conclusions 


The  Systematic  Error  and  Risk  Analysis  (SERA)  process,  for  investigating  the  human  factors 
causes  of  accidents  and  incidents,  is  based  on  a  solid  theoretical  framework  provided  by  the 
Information  Processing  (IP)  and  Perceptual  Control  Theory  (PCT)  models.  SERA  provides  a 
structured  process  for  identifying  both  active  failures  and  the  pre-conditions  that  led  to  these 
failures.  In  the  context  of  this  report,  SERA  is  developed  as  a  tool  to  help  the  accident 
investigator  in  populating  the  Canadian  Forces’  version  of  the  Human  Factors  Accident 
Classification  System  or  HFACS.  Yet  SERA  provides  its  own  taxonomy  of  human  factors 
causes  and  could  stand  alone,  independent  of  HFACS,  as  both  an  investigation  tool  and  as  an 
accident  classification  taxonomy.  Because  of  the  strong  separation  between  the  active  failures 
and  pre-conditions  that  mark  the  points  of  intervention  for  the  safety  system,  SERA  can  be 
extended  to  provide  a  risk  management  tool  at  both  the  tactical  (for  operators)  and  strategic 
(for  managers)  levels.  A  concept  for  a  risk  management  tool  is  developed,  based  on  12  SERA 
factors  at  the  tactical  level  and  six  SERA  factors  at  the  strategic  level. 

SERA  gains  construct  and  face  validity  from  the  theoretical  models  on  which  it  is  based,  but 
lacks  the  appeal  of  a  tool  that  has  seen  widespread  field  use  such  as  HFACS.  SERA  has  a 
formal  process  for  its  application  that  suggests  a  greater  level  of  complexity  than  HFACS. 

This  suggestion  of  complexity  is  perhaps  more  imagined  than  real  as  the  SERA  decision 
ladders  are  simple  to  navigate,  although  they  do  demand  that  the  investigator  is  able  to  answer 
a  series  of  questions  related  to  the  operator’s  goals,  state  of  knowledge  of  the  world,  and  their 
planned  actions.  While  this  might  seem  odious,  it  is  hard  to  imagine  that  an  understanding  of 
the  circumstances  of  the  accident  or  incident  can  be  obtained  in  the  absence  of  this 
information.  A  proof-of-concept  software  tool  for  implementing  this  process  is  described. 
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Annex  A:  Definitions  for  the  Points  of  Failure 


In  this  Annex  the  points  of  failure  are  defined  for  each  layer  of  the  SERA  model.  These 
definitions  start  with  the  12  points  of  active  failure  and  then  go  on  to  define  the  pre-conditions 
to  these  failures,  both  immediate  and  remote. 

Active  Failures 

1.  INTENT  Failure:  The  unsafe  act  resulted  from  exercising  a  goal  that  was  inconsistent 
with  Rules  and  Regulations.  This  is  a  failure  in  INTENT  (VIOLATION).  Violations  do  not 
require  that  the  operator  knowingly  broke  the  rules. 

Alternatively  an  INTENT  (NON-VIOLATION)  failure  is  an  unsafe  act  that  resulted  from 
intentionally  exercising  a  goal  that,  although  consistent  with  Rules  and  Regulations, 

•  did  not  manage  or  bound  the  risk  (a  risky  rather  than  conservative  goal), 

•  was  inadequately  assessed  for  risk, 

•  was  not  consistent  with  established  operating  procedures  (this  would  be  an  INTENT  - 
Violation  if  the  use  of  SOPs  are  mandated  by  the  Rules  and  Regulations),  or 

•  was  inconsistent  with  the  state  of  proficiency,  capability  or  readiness  of  the  individual 
or  the  team  (e.g.,  the  pilot  exceeded  current  ability). 

Goal  generation  depends  on  your  state  of  knowledge  about  the  world.  For  this  to  be  a  failure 
in  INTENT  (NON-VIOLATION)  the  perception  of  the  situation  must  be  correct. 

2.  ATTENTION  Failure:  There  was  a  failure  to  attend  to  relevant  information  that  was 
present  or  accessible.  For  example: 

•  Fixation  on  one  aspect  of  the  task  captured  attention. 

•  A  loss  of  vigilance  or  sensitivity  for  low  probability  events. 

•  An  intentionally  restricted  locus  of  attention. .  .the  information  was  available  but  the 
operator  did  not  make  the  effort  to  access  it 

•  A  breakdown  in  the  time-attention  trade-off.  Even  with  an  effective  time 
management  strategy  there  would  be  insufficient  time  to  attend  to  all  the  critical 
information.  To  know  you  must  attend  and  to  attend  you  must  have  time. 

3.  SENSORY  Failure:  The  operator  didn’t  have  the  physical  capabilities  at  the  time  of  the 
unsafe  act  (e.g.,  visual  acuity,  hearing)  to  sense  the  information  required  to  perform  the  task. 
This  could  be  a  breakdown  in  baseline  capability,  the  result  of  a  temporary  or  correctable 
condition,  or  due  to  physical  limitations  at  the  operator  interface.  For  example. 

•  Inadequate  visual  acuity  due  to  a  failure  to  wear  prescribed  corrective  lens. 

•  Visual  acuity  or  hearing  has  degraded  since  selection  due  to  age,  illness,  or  injury. 

•  Temporary  auditory  threshold  shift  due  to  recent  noise  exposure. 

•  Presence  of  glare,  low  luminance,  noise,  vibration. 
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4.  Knowledge  (Perception)  Failure:  The  operator  didn’t  have  the  pre-existing  baseline 
knowledge  or  skills  required  to  adequately  or  correctly  interpret  the  situation.  The  cues 
received  from  the  world  had  no  meaning  or  an  incomplete  meaning  to  the  operator.  The 
operator  cannot  use  the  information  that  is  available  to  interpret  the  situation  even  though  a 
knowledgeable  operator  would  be  expected  to. 

5.  PERCEPTION  Failure:  All  relevant  sources  of  information  were  attended  to  but  an 
incorrect  perception  was  formed  due  to  ambiguous  or  illusory  information,  or  due  to 
processing  biases  that  shape  our  perceptions  and  filter  the  available  information.  This  is  a 
breakdown  in  forming  a  ‘picture’  of  what  is  happening,  and  is  NOT  a  limitation  due  to 
sensory  capability  nor  a  breakdown  in  prerequisite  perceptual  task  knowledge. 

6.  Communication/Information  Failure:  A  failure  in  communication  or  information 
exchange  between  machine  (display)  and  human,  or  human  and  human.  The  operator  was  did 
not  receive  relevant  information,  or  was  passed  incorrect  information.  This  is  a  breakdown  in 
the  information  link  between  human  and  human  or  between  human  and  machine  or  display. 

7.  Time  Management  Failure:  A  failure  to  use  appropriate  and  effective  time 
management  strategies,  including:  incorrect  or  inappropriate  prioritisation  of  attention,  failure 
to  delegate,  postpone,  shed  tasks,  failure  to  simplify  the  task,  failure  to  take  control  of  the 
timeline  of  the  activity,  or  a  failure  to  pre-plan  or  bring  tasks  forward. 

8.  Knowledge  (Decision)  Failure:  The  operator  didn’t  have  the  pre-existing  baseline 
knowledge  or  skills  required  to  form  an  appropriate  or  correct  response  to  the  situation.  The 
operator  doesn’t  know  the  correct  or  appropriate  response  for  this  situation  or  can’t 
demonstrate  an  adequate  technique.  This  is  a  failure  in  knowing  what  to  do  rather  than  a 
failure  in  implementing  the  response. 

9.  Ability  to  Respond  Failure:  Didn’t  have  the  physical  capabilities  (e.g.,  strength, 
reach,  reaction  time,  vocal  effort)  to  make  the  response  required  to  perform  the  task.  This 
could  be  a  breakdown  in  baseline  physical  capability  (not  knowledge),  could  be  due  to  a 
temporary  or  correctable  condition,  or  could  be  due  to  physical  limitations  at  the  operator 
interface.  For  example. 

•  Insufficient  lifting  strength. 

•  Noise,  vibration,  or  loss  of  power  assistance. 

•  Muscle  pulls,  strains  or  other  injuries  that  limit  the  range  of  motion  of  force  exerted. 

10.  Action  Selection  Failure:  A  failure  in  the  decision  process  due  to  shortcomings  in 
action  selection,  rather  than  a  misunderstanding  or  misperception  of  the  situation.  These  are 
failures  to  formulate  the  right  plan  to  achieve  the  goal,  rather  than  a  failure  to  carry  out  the 
plan.  For  example: 

•  An  incorrect  or  inadequate  procedure  was  implemented  as  intended.  A  correct  or 
adequate  response  does  exist  in  memory  but  was  not  selected.  This  includes  an 
inappropriate  ‘no  action.’  This  could  be  due  to: 

o  Failures  in  knowledge-based  reasoning  due  to  working  memory  limitations,  or 
processing  biases. 
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o  Failures  in  rule-based  (IF  ‘A’  then  ‘B’)  reasoning  where  once  the  IF  part  of  the 
situation  is  recognised  the  THEN  part  of  a  previously  used  rule  is  inappropriately 
applied.  This  typically  occurs  when  exceptions  to  rules  are  not  recognised. 

o  Failure  to  the  use  an  appropriate  technique,  but  only  if  the  operator  could 

demonstrate  a  correct  or  adequate  technique  under  other  circumstances  (if  they 
can’t  the  failure  is  in  Knowledge  -  Decision). 

•  There  is  insufficient  time  to  choose  a  correct  or  adequate  course  of  action  from  memory 
even  though  it  does  exist  or  would  likely  be  derived  if  more  time  were  available.  There  is 
no  time  to  generate  alternatives  and  test  them  mentally  for  their  appropriateness. 

•  Freezing:  the  operator  does  nothing  to  correct  a  recognised  problem  due  to  a  perceived 
inability  to  change  the  situation;  this  doesn’t  include  a  planned  ‘no  action’,  forgetting,  or  a 
lack  of  response  because  there  is  no  time  to  formulate  one. 

11.  Slips,  Lapses  and  Mode  Errors:  The  response  was  not  implemented  as  intended. 

This  is  a  failure  in  action  execution  rather  than  action  selection. .  .what  was  done  was  not  what 
was  intended.  The  wrong  sequence  or  plan  was  triggered.  These  types  of  errors  include: 

•  Slips,  misses  and  bungles:  occurs  when  the  intended  behaviour  is  ‘captured’  by  a 
similar  well-practised  behaviour  (e.g.,  operating  the  gear  lever  instead  of  the  flap 
lever).  These  are  failures  in  skill-based  behaviour.  Slips  may  occur  when:  the 
intended  action  involves  a  slight  departure  from  the  routine;  some  characteristics  of 
the  stimulus  of  the  action  sequence  are  related  to  the  inappropriate  but  more  frequent 
action;  the  action  is  relatively  automated  (skill-based  behaviour)  and  is  therefore  not 
closely  monitored  (feedback).  Generally  feedback  detects  slips  and  misses  as  the 
deviation  from  intended  action  is  often  easily  detected. 

•  Lapses:  a  planned  response  was  not  actioned  at  the  appropriate  time,  missed  a  check 
list  item  or  a  step  in  a  procedure,  left  a  tool  in  the  work  area,  not  torquing  a  nut  at  the 
end  of  an  assembly  procedure,  bumping  into  something  or  inadvertently  activating  a 
control.  Lapses  are  what  might  be  called  forgetfulness  (failures  in  prospective 
memory),  often  precipitated  by  an  interruption.  Lapses  are  often  seen  in  maintenance 
and  installation  procedures. 

•  Mode  errors:  performing  an  action  that  is  inappropriate  in  the  current  mode  but  would 
be  appropriate  in  another  mode.  Generally  these  errors  occur  when  the  operator 
forgets  which  mode  is  selected  or  forgets  that  the  action  they  are  about  to  perform 
gives  different  than  expected  results  in  the  current  mode. 

Operators  are  more  likely  to  monitor  their  actions  than  the  results  of  their  actions.  Hence  slips 
are  often  self  corrected  while  lapses,  mode  errors  and  mistakes  often  go  undetected  for  long 
periods  of  time. 

12.  FEEDBACK  FAILURE:  Our  internal  models  (where  things  are  in  space,  vehicle  dynamics, 
how  things  work,  etc.)  of  the  world  are  often  imprecise  but  as  long  as  error-correcting 
feedback  is  maintained  we  can  generally  expect  to  achieve  the  goal.  If  feedback  is  not 
present,  such  as  when  attention  is  shifted  prematurely,  there  is  a  failure  in  error  correction. 
Feedback  breaks  down  whenever  a  situation  occurs  where  no  one  or  nothing  (humans  or 
machines)  is  monitoring  to  ‘see’  that  the  goal  has  been  achieved.  This  includes  failure  in 
backing-up,  crosschecking  or  monitoring  to  ensure  goal  achievement.  Feedback  should  be 
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maintained  at  the  individual  (monitoring,  checking),  team  (crosschecking,  supervision, 
backing  up)  and  organizational  level  (Command  and  Control,  organization  health  monitoring, 
oversight).  Was  feedback  maintained  or  did  the  behaviour  go  ‘open  loop’? 

Pre-conditions  to  Active  Failures 

The  immediate  pre-conditions  describe  the  condition  of  the: 

•  Personnel, 

•  Task,  and 

•  Working  environment. 

Condition  of  the  Personnel 

The  condition  of  the  personnel  is  further  broken  down  and  defined  by  the  following  seven 
states.  These  seven  states  describe  the  condition  of  the  individuals,  working  both  individually 
and  as  a  team  or  group. 

•  Physiological, 

•  Psychological, 

•  Social, 

•  Physical  capability, 

•  Personnel  readiness, 

•  Training  and  selection,  and 

•  Qualification  and  authorization; 

Together  these  conditions  impact  all  components  of  the  IP/PCT  model  and  hence  the  human 
decision  maker.  The  personnel  factors  are  broken  down  as  follows. 

PHYSIOLOGICAL:  Physiological  states  that  are  associated  with  impaired  performance  include: 

•  Drowsiness. 

•  Medical  illness. 

•  Pharmacological  and  toxicological  effects. 

•  Acceleration  effects. 

•  Circadian  and  time  of  day  effects. 

•  Decompression  sickness. 

•  Intoxication. 

•  Hang  over. 

•  Hypoxia. 

•  Trapped  gas  effect. 
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•  G-Induced  Loss  of  Consciousness. 

•  Physiological  Incapacitation. 

•  Physical  Fatigue. 

•  Other  Physiological  Impairments. 

PSYCHOLOGICAL:  psychological  states,  attitudes,  traits,  and  processing  biases  shape  the 
goals  we  set,  the  way  we  inteipret  or  perceive  information,  and  the  actions  we  form.  Certain 
states  can  contribute  to  the  likelihood  of  an  active  failure. 

•  Complacency:  “. .  .it  can’t  happen  to  us”,  “. .  .it’ll  be  alright”,  “. .  .no  need  to  worry.” 

•  Resignation:  “. .  .there’s  nothing  we  can  do.”  The  operators  resigned  themselves  to 
the  outcome  and  stopped  trying  to  respond. 

•  Motivation  can  be  too  high  leading  to  risky  behaviour,  or  too  low  reducing  the 
amount  of  effort  put  into  the  task. 

o  Excessive  motivation  to  get  the  job  done  (e.g.,  Get-home-itis,  excessive  ‘can- 
do’  attitude)  can  lead  operators  into  situations  that  are  beyond  their 
capabilities  or  the  capabilities  of  there  crews  under  the  circumstances  (level 
of  training,  fatigue,  etc.)  Risk  management  can  break  down. 

o  Low  motivation  can  lead  to  reduced  locus  of  attention  (what  information  you 
are  prepared  to  seek  out),  the  willingness  to  consider  alternative  courses  of 
action,  delays  in  responses,  breakdown  in  monitoring,  cross  checking  and  all 
forms  of  feedback,  and  willingness  to  share  information  in  a  team 
environment.  Generally  low  motivation  translates  into  a  lack  of  enthusiasm 
for  the  task. 

•  Morale:  leading  to  a  lack  of  motivation  to  work  the  problem. 

•  Macho:  -  showing  off,  trying  to  impress  often  leads  to  risky  choices. 

•  Anti-authoritarian:  reflects  the  attitude  “. .  .rules  are  just  made  to  be  broken. .  .they 
don’t  apply  to  us...” 

•  Boredom:  boredom  translates  into  a  state  of  low  motivation  and  commitment  to  the 
task. 

•  Distraction  and  Life  Stress:  factors  external  to  the  primary  task  that  compete  for 
attention  (prolonged  extraneous  conversation,  financial  concerns,  domestic  problems, 
forthcoming  exams  or  a  meeting,  a  purchase  etc.).  While  your  attention  is  turned  to 
these  external  events  it  is  not  available  to  apply  to  the  primary  task.  These  are 
pervading  factors  that  act  over  extended  periods  of  time  during  the  performance  of  the 
task.  They  are  not  momentary  distracters  such  as  an  alarm,  a  loud  noise,  or  a  brief 
flash  in  the  visual  field. 

•  Mental  fatigue:  weariness  felt  after  long  periods  of  intense  mental  activity  and 
sustained  concentration  that  affects  the  ability  to  attend  to  the  task  at  hand. 

•  Attentional  information  Processing  Biases:  attentional  information  processing  biases 
shape  what  we  attend  to  (they  are  present  in  the  absence  of  time  pressure  but  become 
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more  dominant  as  time  pressure  increases).  They  are  not  brain  failures  but  represent 
time  efficient  strategies  for  human  problem  solving.  However,  they  can  let  us  down 
as  they  filter  the  available  information.  Here  are  some  examples: 

o  Salience  -  we  are  hard  wired  to  attend  to  and  place  higher  emphasis  on 

information  associated  with  loud  sounds,  bright  lights,  motion  and  position  in 
our  visual  fields  (in  our  central  field,  at  the  top  of  displays  etc.).  These  are 
momentary  distracters  that  briefly  capture  attention. 

o  Confirmation  bias  -  the  tendency  to  seek  out  information  that  confirms  our 
initial  assessment  rather  than  information  that  is  contrary. 

Perceptual  information  processing  biases  shape  how  we  weight  and  assimilate 
information  (they  are  present  in  the  absence  of  time  pressure  but  become  more 
dominant  as  time  pressure  increases).  They  are  not  brain  failures  but  represent  time 
efficient  strategies  for  human  problem  solving.  However,  they  can  let  us  down  as 
they  filter  the  available  information.  Here  are  some  examples: 

o  Availability:  the  probability  of  events  is  evaluated  by  the  ease  with  which 
relevant  instances  come  to  mind.  In  general,  frequent  events  are  easier  to 
recall  or  imagine  than  infrequent  ones. 

o  Ignoring  prior  probabilities:  humans  tend  to  ignore  the  base  rate  or  underlying 
probabilities  of  a  particular  situation  (e.g.,  fog  in  the  region  at  this  time  of 
year,  excessive  downdrafts  with  the  wind  from  a  particular  quarter). 

o  Intuitive  statistician:  humans  tend  to  overestimate  the  likelihood  of 

occurrence  of  low  probability  events,  and  underestimate  the  occurrence  of 
high  probability  events. 

o  Anchoring:  the  tendency  for  the  order  in  which  information  is  gathered  to 
guide  (or  anchor)  the  interpretation  of  the  situation.  If  the  information  is 
simple  we  tend  to  weight  the  information  received  first  most  heavily,  if  it  is 
complex  we  tend  to  weight  the  most  recently  received  information  most 
heavily. 

o  As-if  bias:  people  tend  to  weight  all  data  as  equally  important  to  the  decision 
process  even  if  they  are  not. 

o  Representativeness  heuristic:  the  tendency  to  assume  that  a  situation  that  has 
similar  characteristics  to  something  you  have  experienced  before,  is  indeed 
the  same. 

o  Expectation:  our  perceptions  are  shaped  by  what  we  expect  or  do  not  expect 
(e.g.,  if  you  are  cleared  to  land  [expectation  is  that  the  runway  is  clear],  you 
would  not  expect  to  see  another  aircraft  occupying  the  runway) 

Decision  biases  effect  action  selection  (these  are  present  in  the  absence  of  time 
pressure  but  become  more  dominant  as  time  pressure  increases).  They  are  not  brain 
failures  but  represent  time  efficient  strategies  for  human  problem  solving.  However, 
they  can  let  us  down  as  they  filter  the  available  information.  Here  are  some 
examples: 
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o  Availability:  the  tendency  to  use  the  response  that  is  most  familiar  or  has 
been  used  recently. 

o  Over  confidence:  people  in  general  are  more  confident  of  their  chosen  course 
of  action  than  is  reasonable  given  the  uncertainty  in  the  decision-making 
environment.  There  is  the  potential  to  close  off  the  search  for  answers  before 
all  available  evidence  can  be  collected  because  of  overconfidence. 

o  First-to-fit:  the  selection  of  the  first  course  of  action  that  seems  appropriate. 
Operators  often  do  not  explore  a  complete  or  even  a  large  set  of  options. 

o  Sunk  cost  bias:  a  tendency  to  put  more  resources  into  a  process  that  you 
already  have  an  investment  in. 

o  Strategy  persistence:  a  tendency  to  keep  doing  what  you  have  been  doing 
even  though  an  outside  observer  can  see  that  it  is  no  longer  appropriate 
(pressing  on). 

•  Other  Psychological  States. 

SOCIAL:  Factors  that  determine  the  effectiveness  of  how  groups  and  teams  interact.  For 
example: 

•  Trans-cockpit  Authority  Gradient:  the  perceived  willingness  of  the  Aircraft 
Commander  to  use  both  Leadership  and  Command  styles  to  set  the  direction  taken  by 
the  aircraft  crew. 

o  A  steep  gradient,  biased  towards  the  Aircraft  Commander,  occurs  when  the 
AC  constantly  achieves  team  goals  by  using  Command  authority  rather  than 
Leadership  or  Personal  authority.  This  reinforces  the  command  structure  but 
jeopardises  the  free  flow  of  information  between  crewmembers. 

o  A  neutral  gradient  exists  when  the  AC  consistently  achieves  team  goals  by 
the  use  of  Personal  rather  than  Command  authority,  and  encourages 
contributions  from  all  crewmembers.  Command  authority  is  reserved  for 
those  times  when  critical  decisions  must  be  made  against  high  time 
constraints.  This  creates  a  strong  environment  for  team  working. 

o  A  steep  gradient,  biased  towards  the  Co-pilot  or  another  crewmember,  exists 
when  the  AC  fails  to  Command  when  it  is  appropriate  and  the  Leadership 
role  passes  to  another  crewmember  with  strong  personal  authority.  This 
jeopardises  the  command  structure  and  the  AC’s  role  within  the  cockpit  team. 

•  Rank  gradient:  the  perceived  willingness  to  use  Leadership  or  Command  styles  to  set 
the  direction  taken  by  the  team. 

o  A  steep  gradient,  biased  towards  the  senior  person,  occurs  when  team  goals 
are  constantly  achieved  using  Command  authority  rather  than  Leadership  or 
Personal  authority.  Note  that  the  senior  person  may  or  may  not  be  the 
designated  team  Commander  or  Leader,  in  the  sense  of  the  position  rather 
than  the  style  (e.g.,  in  an  aircraft  cockpit).  This  reinforces  the  command 
structure  but  jeopardises  the  free  flow  of  information  between  team  members. 

o  A  neutral  gradient  exists  when  the  senior  person  consistently  achieves  team 
goals  by  the  use  of  Personal  rather  than  Command  authority,  and  encourages 
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contributions  from  all  team  members.  Command  authority  is  reserved  for 
those  times  when  critical  decisions  must  be  made  against  high  time 
constraints.  This  creates  a  strong  environment  for  team  working. 

o  A  steep  gradient,  biased  towards  more  junior  team  members,  exists  when  the 
senior  person  fails  to  Command  when  it  is  appropriate  and  the  Leadership 
role  passes  to  other  team  members  with  strong  personal  authorities.  This 
potentially  jeopardises  the  command  structure  and  the  senior  person’s  role 
within  the  team. 

•  Peer  pressure:  one  may  believe  that  acceptance  by  the  peer  group  depends  on 
adopting  the  group’s  attitudes  and  norms.  Behaviours  will  be  shaped  by  a  desire  to 
act  in  accordance  with  these  perceived  attitudes  and  norms. 

•  Leadership:  to  lead  is  to  use  your  personal  authority  to  influence  the  direction  the 
team  follows  (compared  to  Command  where  your  legitimate  or  legal  authority  is  used 
to  the  same  end).  People  follow  leaders  willingly  (one  does  not  have  to  be  willing  to 
be  commanded)  without  threat  of  coercion.  Leadership  is  established  by  behaviours 
that  build  trust  and  respect.  The  strength  of  leadership  (and  indeed  Command)  is 
judged  by  how  well  the  Leader  forms  intent,  communicates  the  intent  to  the  team, 
obtains  the  buy-in  of  the  team  members,  and  controls  the  pace  of  the  task  so  that  the 
team  can  follow. 

•  Commitment  to  the  team:  this  defines  the  likelihood  that  team  members  will  display 
effective  followership  and  situational  leadership. 

•  Assertiveness:  assertiveness  describes  the  force  and  conviction  with  which 
information  is  conveyed  to  another  team  member.  Assertiveness  should  be 
situationally  appropriate.  When  the  safety  of  the  operation  is  at  jeopardy,  the  highest 
level  of  assertiveness  is  called  for. 

•  Receptiveness:  describes  the  readiness  of  any  team  member  to  accept  input  from  all 
sources. 

•  Cohesiveness:  the  extent  to  which  the  team  agrees  on  the  common  goals  and  the 
process  of  achieving  them. 

•  Group  think:  a  complex  concept  leading  to  behaviours  of  self  censorship,  and 
illusions  of  unanimity  where  no  dissenting  information  is  offered  that  threatens  the 
position  taken  by  the  group  or  team. 

•  Social  loafing:  one  or  more  team  members  do  not  actively  contribute  to  the  common 
goals.  They  rely  on  other  team  members  to  get  the  job  done. 

•  Other  Social  Factors 

PHYSICAL  Capability:  Factors  that  determine  the  capability  (physical  not  cognitive)  to 
sense  information  and  implement  the  intended  action  or  behaviour.  These  include: 

•  Body  size. 

•  Strength. 

•  Flexibility  or  range  of  motion. 
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•  Dexterity. 

•  Visual  acuity. 

•  Colour  vision. 

•  Field  of  view. 

•  Flearing. 

•  Localization  of  sound. 

•  Reach. 

•  View. 

•  Other  Physical  Capability  Limitations. 

PERSONAL  Readiness:  An  operator’s  personal  obligation  to  be  ready  physiologically, 
psychologically,  physically  and  mentally  to  perform  the  task.  If  an  operator  is  not  ready  to 
perform  the  task  they  must  let  the  team  or  their  supervisor  know.  Personal  readiness  factors 
refer  to  the  operator’s  actions  prior  to  and  leading  up  to  the  performance  of  the  task.  They  are 
what  the  operator  did  or  did  not  do  in  preparing  for  the  performance  of  the  task.  For  example: 

•  Alcohol  consumption  while  on  duty  or  immediately  prior  to  duty. 

•  Inadequate  rest. 

•  Is  in  possession  of  the  required  personal  aids  to  perform  the  task  (corrective  lens, 
hearing  protection,  personal  equipment  ensembles) 

•  Is  in  possession  of  the  required  personal  tools  and  equipment  for  the  task. 

•  Use  of  prescribed  drugs  or  medication  that  affects  physiological  or  psychological 
states. 

•  Use  of  self-medication  (e.g.,  anti  histamines  that  induce  drowsiness)  that  affects 
physiological  or  psychological  states. 

•  Recent  excessive  physical  exertion. 

•  Carrying  injuries  that  effect  range  of  motion  and  the  ability  to  exert  force. 

•  Has  maintained  personal  skills  and  knowledge  required  for  the  job. 

•  Other  Personal  Readiness  Factors. 

SELECTION  and  Training:  Selection  and  training  deal  with  the  skills  required  to  do  the  job 
not  the  legal  authority. 

•  Selection:  the  operator  lacked  the  basic  abilities  (aptitude,  vision,  hearing,  language, 
etc.)  that  would  allow  the  situation  to  be  correctly  interpreted  or  would  allow  an 
adequate  response  to  be  formed. 

•  Training:  the  operator  had  the  basic  abilities  (vision,  hearing,  language,  etc.)  but 
lacked  the  knowledge  required  to  correctly  assess  the  situation  or  would  allow  an 
adequate  response  to  be  formed. 
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o  Baseline  knowledge:  prerequisite  or  underlying  knowledge.  Knowledge  that 
is  fundamental  to  doing  the  job.  Knowledge  learnt  in  basic  training  (e.g., 
aircraft  radio  aids  and  their  function  in  navigation). 

o  Task  knowledge:  specific  knowledge  that  is  required  to  perform  the  task  (e.g., 
how  to  fly  a  back  course  1LS). 

o  Aircraft  Knowledge:  knowledge  specific  to  the  aircraft  type  and  its  systems 
(e.g.,  how  to  set  up  the  FMS  and  the  correct  approach  speeds  for  landing  and 
gear/flap  deployment). 

•  Currency:  skills  and  knowledge  have  degraded  over  time  and  have  not  been  refreshed. 

Qualification  and  Authorization :  Qualification  and  Authorization  deal  with  the  legal 
pre-requisites  for  performing  certain  activities  (qualified  on  type,  qualified  to  handle 
hazardous  materials,  authorized  to  fly  the  mission  etc.)  rather  than  the  ability  or  capability  to 
carry  out  the  task. 

•  Qualification:  the  operator  was  not  qualified  to  conduct  the  activity. 

•  Authorization:  the  operator  was  not  authorised  to  conduct  this  activity. 

While  unqualified  or  unauthorised  personnel  may  lack  either  capability  or  ability  it  doesn’t 
necessarily  follow.  The  active  failures  will  directly  implicate  the  ability  and  capability  of  the 
personnel  to  carry  out  the  activity  (e.g.,  capability  and  knowledge  failures  are  likely  when 
unqualified  or  unauthorised  people  are  used  to  perform  the  task)  independently  of  the  state  of 
qualification  or  authorisation  of  the  personnel. 


Condition  of  the  task 

The  condition  of  the  task  is  described  by  two  factors. 

TIME  PRESSURE:  The  tempo  of  the  task  is  excessive.  There  is  little  or  no  time  to  rest  or  re¬ 
group,  “. .  .there  is  no  time  to  think.”  Operators  are  paced  by  the  task  and  have  little  scope  to 
actively  manage  the  timeline.  Options  for  timeline  management  are  few,  if  at  all.  Responses 
are  required  immediately  the  stimulus  appears.  Response  delays  are  unacceptable. 

The  IP  model  describes  the  breakdown  of  the  human  information  processing  system  under 
excessive  levels  of  time  pressure,  but  there  are  other  situations,  not  described  by  the  IP  model, 
where  performance  is  degraded  despite  low  task  tempo.  For  example,  activities  where  events 
are  insufficiently  frequent  to  maintain  physiological  activation  and  psychological  arousal 
levels  will  promote  a  state  of  sleep,  with  the  possibility  that  what  would  normally  be  an  easily 
detectable  event  is  missed  (an  isolation  cell  is  an  extreme  example  of  this  type  of  situation). 

Vigilance  tasks  are  special  cases  of  low  task  tempo  situations.  Vigilance  tasks  are  special 
cases  because  of: 

•  the  requirement  for  sustained  attention  over  extended  periods  of  time  and  rapid 
response  to  the  stimuli  when  it  does  appear  (hence  they  may  not  be  perceived  as  low 
workload  situations), 

•  low  probability  events,  and 
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•  events  of  low  detectability. 

Although  fundamentally  different,  in  all  cases  a  failure  in  attention  might  be  expected. 

OBJECTIVES:  The  objectives  set  for  the  task  generate  the  tactical  and  strategic  goals  for  the 
operators  performing  the  task  and  define  the  nature  of  the  task.  Are  the  objectives: 

•  consistent  with  the  actual  capabilities  and/or  experience  levels  of  all  operators  who 
are  qualified  and  authorised  to  do  the  job? 

•  appropriate  for  the  approved  mission? 

•  clearly  understood  or  uncertain? 

Do  the  objectives: 

•  involve  high  risk  with  low  benefit? 

Working  conditions 

The  following  factors  describe  the  working  conditions. 

Equipment  (Tools  of  the  Trade):  These  factors  describe  the  interfaces  with  which  the 
operator(s)  is  attempting  to  carry  out  the  task.  This  includes:  controls,  displays,  panels, 
transparencies,  knobs,  dials,  levers,  connectors,  life  support  and  protective  equipment,  tools, 
test  rigs,  information  sources  including  documentation  and  manuals  etc.  Is  the  equipment: 

•  Unsafe/Hazardous? 

•  Unreliable/Faulty? 

•  Difficult  to  operate? 

•  Uncontrollable? 

•  Available? 

•  Inappropriate  for  task? 

•  Miss  calibrated? 

•  Correctly  documented? 

•  Designed  in  accordance  with  good  human  engineering  principles? 

•  Other  Equipment  Factors? 

WORKSPACE:  These  factors  describe  the  physical  arrangement  and  layout  of  the  workspace 
itself,  including: 

•  Physical  constraints  that  limit  movement,  or  limit  the  use  of  tools  and  equipment. 

•  Displays  or  critical  information  that  are  not  visible,  obstructed  or  partially  visible. 

•  Controls  or  components  totally  or  partially  inaccessible. 

•  Cockpit  layout. 

•  Seating. 
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•  Other  Workspace  Factors. 

ENVIRONMENT:  These  factors  describe  the  environment  in  which  the  activity  takes  place, 
including: 

•  Lighting  (inadequate  natural/artificial  light,  dusk/night  time) 

•  Weather/exposure  (temperature,  precipitation,  wind,  cloud  cover  etc.) 

•  Environmental  hazards  (radiation,  ice,  water,  noise,  housekeeping,  cleanliness, 
hazardous  /toxic  substances) 

•  Other  Environmental  Factors. 

Failures  in  Command,  Control  and  Supervision 

Command,  Control  and  Supervision  are  described  in  the  following  terms. 

FORMING  Intent:  The  objectives  of  the  task,  and  lines  of  responsibility,  were  not  clearly 
formulated  by  Managers  and  Supervisors.  This  is  failure  in  the  formation  rather  than  the 
communication  of  the  strategic  objectives  for  the  mission. 

Were  the  high  level  goals  set  by  Managers  and  Supervisors: 

•  contradictory; 

•  ambiguous; 

•  in  violation  of  SOPs,  Rules  and  Regulations;  or 

•  based  on  unrealistic  expectations? 

Communication  of  Intent:  The  objectives  of  the  task  and  lines  of  responsibility  were  not 
clearly  communicated  by  Managers  or  Supervisors.  This  is  a  failure  in  communicating  the 
intent  to  those  that  are  to  carry  out  the  objectives.  The  problem  is  in  communicating  the 
intent,  not  in  forming  the  intent.  Were  the  objectives,  as  stated,  ambiguous  or  contradictory 
(“. .  .achieve  the  best  performance  you  can,  spend  the  least  amount  of  money”)  or  was  the 
intent  poorly  communicated  (generally  ambiguous  goals  can  not  be  communicated  clearly,  but 
sometimes  the  communication  of  a  clearly  defined  goal  will  fail  also)? 

MONITORING  and  Supervision:  Monitoring  or  supervisory  activities  are  missing,  delayed 
or  were  otherwise  inadequate  to  provide  error-correcting  feedback  ensuring  successful  task  or 
mission  completion. 

Organizational  failures 

Organisational  influences  involve  the  following  factors. 

MISSION:  Is  the  mission  clearly  defined,  approved,  and  within  the  capability  of  the 
organization?  The  stated  mission  should  be  consistent  with  the  resources  available.  Note  that 
in  a  new  or  changing  organization  the  mission  statement  usually  comes  first  and  then  the 
required  resources  are  defined  and  provided. .  .in  a  mature  organization  new  missions  may  be 
conceived  for  an  organization  that  has  a  fixed  resource  base.  This  is  a  ‘chicken  and  egg’ 
issue. .  .there  is  always  a  trade-off  between  the  acceptance  of  the  mission  and  the  availability 
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of  resources.  The  point  of  failure  depends  on  the  constraints.  If  the  resources  are  fixed  then 
the  mission  statement  must  be  matched  to  the  assets  available.  If  the  statement  of  the  scope  of 
the  mission  exceeds  the  resources,  then  the  failure  is  in  the  mission  statement  not  in  the 
provision  of  the  resources. 

PROVISION  OF  Resources:  This  refers  to  the  management,  allocation,  and  maintenance  of 
organizational  resources,  such  as: 

•  Human  -  the  term  ‘human’  refers  to  operators,  staff,  support  and  maintenance 
personnel.  Personnel  issues  that  directly  influence  safety  include  the  organization’s 
obligation  and  ability  to  select  capable  people,  train  them  to  criteria  performance,  and 
staff/man  units  to  a  level  that  is  consistent  with  the  mission  requirements. 

•  Equipment/facilities  -  Equipment/Facility  refers  to  issues  related  to  equipment 
design,  including  the  purchasing  of  equipment  that  is  suitable  for  the  role  and  failures 
to  correct  known  design  flaws.  Management  should  ensure  that  human  factors 
engineering  principles  are  known  and  utilised  in  procurement,  and  that  appropriate 
specifications  for  equipment,  workspace  design  and  the  working  environment  are 
identified  and  met. 

•  Monetary  -  monetary  issues  refer  to  the  management  of  non-human  resources, 
primarily  monetary  resources.  Are  funding  levels  adequate  to  provide  proper  and  safe 
equipment,  and  appropriate  numbers  of  trained  personnel? 

The  resources  available  should  be  consistent  with  achieving  the  mission.  Note  that  in  a  new 
or  changing  organization  the  mission  statement  usually  comes  first  and  then  the  required 
resources  are  defined  and  provided. .  .in  a  mature  organization  new  missions  may  be 
conceived  for  an  organization  that  has  a  fixed  resource  base.  This  is  a  ‘chicken  and  egg’ 
issue. .  .there  is  always  a  trade-off  between  the  acceptance  of  the  mission  and  the  availability 
of  resources.  The  point  of  failure  depends  on  the  constraints.  If  the  mission  is  stated  and  the 
organization  has  the  freedom  to  increase  its  resources  to  match  the  requirements  of  the 
mission,  but  fails  to  identify  this  need  or  follow  through  on  an  identified  shortfall,  then  the 
failure  is  in  the  provision  of  resources. 

RULES  and  Regulations:  Rules  and  Regulations  have  a  special  place  within  an 
organization’s  processes.  Rules  and  Regulations,  which  may  be  imposed  by  an  external  body, 
set  the  constraints  and  establish  the  legal  requirements  within  which  the  operational  mission 
has  to  be  accomplished  (e.g.,  Rules  of  Engagement). 

Not  acting  in  accordance  with  Rules  and  Regulations  will  generally  invite  disciplinary  action. 
Are  the  Rules  and  Regulations  consistent  with  the  mission  requirements?  Can  you  do  the  job 
safely  within  the  constraints  imposed  by  the  Rules,  Regulations?  Do  the  Rules  and 
Regulations  establish  sufficient  safeguards  for  the  operation? 

ORGANIZATIONAL  Process:  Organizational  process  refers  to  the  formal  processes  by 
which  things  are  supposed  to  be  accomplished  in  the  organization.  Three  factors  are  included 
in  this  area  -  operations,  procedures,  and  managing  change. 

•  Operations  -  ‘operations’  refers  to  processes  established  by  management  that 
determine  the  characteristics  or  conditions  of  work.  These  include  the  use  of 
production  quotas  and  incentive  systems  to  motivate  workers,  schedules  to  maintain 
the  usage  of  plant  or  maintain  the  health  and  well  being  of  the  workers  etc.  When  set 
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up  inappropriately,  these  processes  can  establish  working  conditions  that  are 
detrimental  to  safety. 

•  Procedures  -  procedures  are  the  official  or  formal  statements  as  to  how  the  job  is  to 
be  done.  Examples  include  performance  standards,  objectives,  documentation,  SOPs, 
instructions  about  procedures,  etc.  Poor  procedures  can  negatively  impact 
supervision,  performance,  and  safety. 

•  Managing  change  -  these  are  processes  in  place  for  initiating  and  managing  change 
in  the  organization  in  response  to  the  information  provided  by  oversight. 

ORGANIZATIONAL  Climate:  Organizational  climate  refers  to  organization  variables  that 
shape  worker  attitudes  and  make  certain  behaviours  more  likely  to  emerge.  The 
organizational  climate  reflects  the  values  that  the  organization  is  actually  pursuing  (these  are 
not  necessarily  the  stated  values).  In  general,  organizational  climate  describes  the  prevailing 
atmosphere  or  environment  within  the  organization.  It  is  defined  as  “. .  .situationally-based 
consistencies  in  the  organization’s  treatment  of  individuals”  (from  Jones,  1988,  as  quoted  by 
Shappell  and  Wiegmann,  2000,  pi  1).  Organizational  structure,  policies,  and  culture  are 
elements  that  affect  the  climate. 

•  Structure  -  ‘structure’  refers  to  the  formal  component  of  the  organization,  its  ‘form 
and  shape.’  An  organization’s  structure  is  reflected  in  the  chain-of-command, 
delegation  of  authority  and  responsibility,  communication  channels,  and  formal 
accountability  for  actions.  Organizations  with  maladaptive  structures  will  be  more 
prone  to  accidents. 

•  Policies  -  policies  refer  to  a  course  or  method  of  action  that  guides  present  and  future 
decisions.  Policies  may  refer  to  hiring  and  firing,  promotion,  retention,  raises,  sick 
leave,  attitudes  to  drugs  and  alcohol,  overtime,  accident  investigations,  use  of  safety 
equipment,  etc.  When  these  policies  are  ill  defined,  adversarial,  or  conflicting,  safety 
may  be  reduced. 

•  Culture  -  culture  includes  the  acceptance  of  unspoken  or  unofficial  rules,  and 
customs  of  an  organization  “. .  .the  way  things  really  work  around  here.”  In  this  case 
the  actual  process  does  not  follow  the  formally  set  down  process  of  the  organization. 
Other  issues  related  to  culture  included  organizational  justice,  psychological 
contracts,  organizational  citizenship  behaviour,  esprit  de  corps,  and 
union/management  relations. 

All  these  issues  affect  manager  and  worker  attitudes  about  safety,  adherence  to  guidelines  and 
SOPs,  and  the  value  of  a  safe  working  environment. 

OVERSIGHT  -  oversight  refers  to  management’s  procedures  for  monitoring  and  checking 
resources,  climate,  and  processes  to  ensure  a  safe  and  productive  work  environment.  Issues 
here  relate  to  the  existence  of  methods  for  organizational  self-study,  risk  management,  and  the 
establishment  and  use  of  safety  programs.  Oversight  provides  the  error  correcting  feedback 
for  identifying  and  correcting  (with  a  process  for  managing  change)  systemic  deficiencies  in 
the  Mission,  the  Provision  of  Resources,  the  Rules  and  Regulations,  the 
Organizational  Process,  and  the  Organizational  Climate. 
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Annex  B:  Implementing  a  SERA  Analysis 

Implementing  a  SERA  analysis  involves  the  following  five  Steps. 

STEP  1  (Identify  the  unsafe  act  or  unsafe  condition) 

WHAT  IS  AN  UNSAFE  act?  An  act  is  something  that  someone  has  done. .  .it  is  observable. .  .it 
is  the  outcome  of  a  decision  (e.g.,  “. .  .the  pilot  initiated  a  roll  and  pull-through  manoeuvre 
from  3000ftAGL).  You  might  have  risky  intentions,  but  until  such  time  as  you  take  action 
there  is  no  unsafe  act.  A  risky  goal  is  not  an  unsafe  act  until  something  is  done  about  it, 
although  announcing  your  intent  to  another  party  may  be  considered  an  unsafe  act  if  there  is 
an  expectation  that  the  intent  will  be  carried  out. 

WHAT  IS  AN  UNSAFE  CONDITION?  A  condition  is  some  state  of  the  world.  It  also  is 
observable  (e.g.,  “. .  .the  aircraft  descended  below  the  MDA  without  the  runway  in  sight”). 
Here  you  are  describing,  “. .  .what  was”  rather  than  “. .  .what  was  done.” 


(Unsafe  acts 


Safe  acts 


First  departure 
-from  safe 
operations 


Critical 
unsafe  act 


Reason's  defences  in  depth 


Want 
to  be 
here  , 


Accident 

or 

incident 


DEPARTURE  FROM  SAFE  OPERATION.  Identify  the  first  point  in  the  timeline  where  there  is  a 
departure  from  safe  operation.  Describe  the  unsafe  act  or  unsafe  condition  that  marks  this 
point.  You  need  to  be  able  to  trace  the  path  from  this  unsafe  act  to  the  final  outcome.  The 
unsafe  act  is  on  the  accident  or  incident  trajectory  if  its  removal  or  modification  would  have 
prevented  the  accident  or  incident.  State  the  facts  of  the  unsafe  act  or  condition;  do  not 
attribute  cause  at  this  stage.  The  most  critical  unsafe  act  or  condition  is  that  from  which  there 
is  only  one  trajectory. .  .the  one  that  led  directly  to  the  accident  or  incident.  Up  until  that 
critical  act  or  condition,  there  were  always  options.  Once  the  critical  decision  has  been  made 
there  is  no  way  back.  The  accident  or  incident  crew  may  have  committed  several  unsafe  acts 
or  there  may  have  been  several  unsafe  conditions  that  you  wish  to  analyse,  in  which  case  you 
would  follow  the  process  for  each  of  these  unsafe  acts  or  conditions. 
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WHO  DO  YOU  START  WITH?  Start  with  the  operators  or  crews  who  were  directly  involved  in 
the  unsafe  act  or  unsafe  condition.  These  are  the  operators  or  crews  who  were  controlling  the 
variable(s)  that  went  out  of  the  safe  or  acceptable  range(s)  (e.g.,  altitude,  airspeed,  aircraft 
position  with  respect  to  airspace  restrictions,  torque  on  a  nut,  installation  of  a  part).  Other 
players  and  latent  factors  or  pre-conditions,  both  human  and  machine,  will  be  identified  as 
you  go  through  the  SERA  process.  While  these  other  players  and  pre-conditions  may  have  set 
the  scene  for  the  accident  or  incident,  they  were  not  directly  involved  in  the  unsafe  act  or 
condition.  You  are  trying  to  find  out  why  these  particular  operators  or  crews  were  involved  in 
an  accident  or  incident.  For  other  operators  or  crews,  under  the  same  pre-conditions,  the 
outcome  may  have  been  different. 


STEP  2  (Ask  three  questions) 


For  each  unsafe  act,  ask  three  questions  of  the  operators  or  crewmembers  (do  this  before 
proceeding  to  the  next  steps): 


GOAL: 

“What  was  the  operator  or  crew  member  trying  to  achieve. .  .what  was  the 
intent  or  goal(s)  that  led  to  the  unsafe  act?” 

PERCEPTION: 

“What  did  the  operator  or  crewmember  believe  was  the  state  of  the  world 
with  respect  to  the  goal(s)?” 

ACTION: 

“How  was  the  operator  or  crewmember  trying  to  achieve  the  tioal(s)?” 

Each  of  these  statements  should  be  as  objective  as  the  information  allows.  Stick  to  the  facts; 
do  not  colour  the  descriptions  with  what  might  be  the  pre-conditions  or  directly  refer  to  what 
might  be  active  failures.  Do  not  pre-judge  the  situation.  These  statements  should  all  be  at  the 
same  level  of  description. 
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The  GOAL  we  are  concerned  with  is  the  one  that  led  directly  to  the  unsafe  act  or  unsafe 
condition  we  are  analysing,  and  will  be  described  at  the  same  level  as  the  unsafe  act  or 
condition.  Defining  the  GOAL  is  always  critical  to  knowing  why  someone  did  something.  It 
is  the  first  line  of  defence  in  risk  management  and  sets  the  scene  for  the  observed  action.  The 
goals  we  set  always  involve  an  assessment  of  the  risk,  at  least  some  level  (of  course  this  is  not 
to  say  that  the  assessment  was  adequate  or  correct). 

The  description  of  the  PERCEPTION  should  include  only  those  factors  that  are  relevant  to 
the  stated  goal.  This  will  include  the  perceptual  information  required  to  judge  the  current 
state  of  the  world  with  respect  to  the  goal  (“. .  .are  we  there  yet. .  .has  my  goal  been 
achieved?”),  as  well  as  the  information  against  which  the  appropriateness  of  the  goal  in 
question  is  judged  (“. .  .does  this  goal  satisfy  my  higher  level  goals  such  as  level  of  risk,  or 
contribution  to  the  mission?”).  We  also  draw  on  information  from  our  internal  knowledge 
states  in  forming  the  overall  perception  (past  experience,  training,  knowledge  of  how  things 
work. .  .drawing  on  our  internal  world  model)  as  well  as  the  sensory  information  currently 
stimulating  our  receptors. 

The  ACTION  statement  should  include  only  those  actions  that  are  intended  to  achieve  the 
stated  GOAL. 

Identify  the  Active  Failures 

Start  the  analysis  with  one  of  these  questions  (usually  you  would  start  with  the 
PERCEPTION  so  you  can  see  the  context  for  the  goals  that  were  set,  but  you  might  start 
directly  with  the  GOAL  or  even  the  ACTION  if  that  is  the  only  direct  evidence  you  have); 
follow  the  process  down  to  the  active  failure(s)  by  asking  a  series  of  questions  related  to  each 
decision  point  in  the  process.  Do  this  for  STEPS  3  to  5. 

If  the  GOAL  is  stated  at  a  high  level  (e.g.,  “. .  .the  Captain  intended  to  fly  the  mission  as 
originally  planned. . .”)  then  the  PERCEPTION  and  ACTION  statements  will  be  at  the  same 
level  of  the  GOAL.  Hence,  you  might  identify  several  active  failures  in  one  or  more  of  the 
decision  ladders  for  what  are  essentially  sub-goals  of  this  higher-level  goal.  That’s  OK. 

If  the  GOAL  is  very  specific  (e.g.,  “. .  .the  pilot  intended  to  level  at  15000ft. . .”)  you  may 
identify  just  a  single  point  of  failure  in  only  one  ladder  (PERCEPTION:  attentional  failure  - 
did  not  see  the  altimeter  advance  through  15000ft). 

Identify  the  Pre-conditions 

Once  you  have  identified  the  active  failure(s),  look  for  pre-conditions  that  were  acting  to 
make  the  active  failure(s)  more  likely.  A  set  of  most  likely  pre-conditions  has  been  associated 
with  each  active  failure  in  the  decision  ladders.  Use  these  as  a  guide  but  be  prepared  to 
identify  others.  For  a  condition  to  be  a  pre-condition  of  the  active  failure  ask  yourself 
“. .  .would  the  outcome  have  been  different  if  this  condition  was  absent  or  different?”  You 
should  find  at  least  one  pre-condition  to  every  active  failure  but  you  may  find  many.  Note 
that  the  points  of  intervention  for  reducing  the  likelihood  that  the  active  failure  will  occur 
again  are  defined  by  the  pre-conditions,  not  the  active  failures.  In  SERA,  the  active  failures 
are  due  to  human  information  processing  limitations  that  are  basically  fixed  properties  of  the 
humans. 
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In  the  process  of  identifying  the  pre-conditions  to  the  unsafe  act  you  might  for  example  find  a 
case  where  a  supervisor  or  a  unit  initiated  a  risky  mission,  or  violated  Rules,  Regulations,  or 
SOPs.  These  might  be  seen  as  unsafe  acts  in  their  own  right  and  you  may  wish  to  analyse 
them  using  the  full  SERA  process. 

In  other  words,  the  unsafe  act  of  a  supervisor  was  identified  as  a  pre-condition  to  the  unsafe 
act  of  the  accident  crew,  The  supervisor’s  unsafe  act  might  then  be  fully  analysed  to  identify 
the  supervisor’s  active  failures  and  pre-conditions  to  these  failures,  using  the  three  questions: 

GOAL:  “What  was  the  supervisor  trying  to  achieve?” 

PERCEPTION:  “What  did  the  supervisor  believe  was  happening?” 

ACTION :  “How  was  the  supervisor  trying  to  achieve  the  goal(s)?” 

Many  pre-conditions  might  fit  into  this  class  and  be  candidates  for  detailed  analysis.  For 
example,  the  decision  to  buy  a  particular  aircraft  that  may  not  be  fully  suited  to  the  mission, 
the  decision  to  implement  a  new  work-rest  schedule,  or  the  decision  to  limit  the  amount  of 
NVG  training  in  a  Squadron.  These  might  all  be  found  to  be  pre-conditions  to  the  unsafe  act 
that  precipitated  the  accident  or  incident  that  is  under  investigation.  Now  you  want  to  find  out 
why  these  emergent  unsafe  acts  occurred.  Note  that  these  pre-conditions  remained  latent  or 
hidden  until  the  accident  occurred. .  .they  emerged  as  a  result  of  the  investigation. 

Now  you  are  ready  to  proceed  with  STEP  3. 
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STEP  3  (What  was  the  perception?) 


PERCEPTION 

“What  did  the  operator  or  crewmember  believe  was 
the  state  of  the  world  with  respect  to  the  goal(s)?” 


3.2.2 
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perception 
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Sensory 

failure 
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capability 
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assessment  of  the 
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Time  pressure  - 
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No  failure  in 
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Attentional 
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INFORMATION 
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In  the  following  text,  the  paragraph  numbers  match  the  numbers  associated  with  each  point  of 
active  failure. 

For  the  PERCEPTION,  ask  if  the  operator  or  crew  had  a  correct  or  adequate  assessment  of 
the  situation.  In  other  words,  did  the  crew’s  assessment  of  the  situation  match  the  actual 
situation? 

3.1  No  Failure  in  Perception.  If  the  answer  is  YES,  you  would  exit  this  branch  with  “no 
failure  of  perception”  and  move  on  to  what  the  crew  was  trying  to  achieve  (GOAL)  or  how 
they  were  going  about  it  (ACTION). 

But  if  the  crew’s  PERCEPTION  was  incorrect  or  didn’t  provide  an  adequate  assessment  of 
the  situation  (in  other  words  the  crew’s  assessment  of  the  situation  did  NOT  match  the  actual 
situation),  go  on  to  ask  the  following. 

Did  the  operator  or  crew  had  the  pre-requisite  capability,  knowledge  or  skills  required  to 
sense  and  perceive  the  situation? 

If  the  answer  to  the  question  “. .  .did  the  operator  or  crew  had  the  pre-requisite  capability, 
knowledge  or  skills  required  to  sense  and  perceive  the  situation?”  is  NO,  then  the  failures  are 
either  in  SENSORY  capability  or  in  KNOWLEDGE  —  PERCEPTION  capability. 

3.2.1  SENSORY  Failure:  Before  you  can  correctly  perceive  the  situation,  you  have  to  be 
able  to  sense  the  incoming  visual,  auditory,  tactile  and  olfactory  cues  coming  from  the 
environment.  Did  the  operator  or  crew  have  the  visual  acuity  to  sense  the  visual  signal,  the 
sensitivity  of  hearing  to  detect  the  sound  signal,  the  tactile  feel  to  sense  the  force  applied  the 
part,  etc?  If  not,  this  is  a  SENSORY  failure. 

PRE-CONDITIONS  for  a  Sensory  failure:  some  or  all  of  the  following  pre-conditions 
(latent  factors  both  immediate  and  remote)  may  or  may  not  be  present.  Factors  other 
than  those  following  may  also  be  present. 

PHYSICAL  Capability:  the  crew  or  crewmember  either  permanently  or 
temporarily  lacked  the  physical  capability  to  sense  the  information. 

Selection:  the  selection  system  failed  to  screen  out  personnel  lacking  the 
underlying  physical  capabilities  (vision,  hearing,  tactile,  etc.)  to  sense  the 
information  required  to  perform  the  task. 

PHYSIOLOGICAL:  Various  physiological  factors  can  impair  sensory 
capabilities  (medical  illness,  pharmacological  and  toxicological  effects, 
acceleration  effects  etc.) 

PERSONAL  Readiness:  certain  personal  readiness  factors  may  contribute  to 
an  inability  to  sense  the  incoming  information  (e.g.,  not  wearing  corrective 
lens,  not  wearing  regulation  hearing  protection). 

OBJECTIVES:  are  the  task  objectives  consistent  with  the  physical  capabilities 
of  personnel  who  are  expected  to  carry  out  the  activities  or  the  performance 
of  the  equipment  provided  for  the  task? 

EQUIPMENT:  various  items  of  personal  equipment  may  interfere  with  the 
ability  to  sense  various  cues  from  the  world  (tinted  visors,  hearing  protection 
etc.). 
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ENVIRONMENT:  various  environmental  factors  can  result  in  a  temporary 
inability  to  sense  the  information  (e.g.,  vibration,  glare,  and  noise). 

Monitoring  and  Supervision:  was  the  lack  of  capability  previously 
observed  and  action  taken  to  re-assign  the  personnel? 

ORGANIZATIONAL  Process:  the  organization  must  ensure  that  relevant 
selection  standards  have  been  established,  and  that  personnel  deemed 
‘qualified’  have  been  selected  against  those  standards. 

OVERSIGHT:  were  systemic  deficiencies  in  selection  standards  known  and 
was  corrective  action  taken? 

3.2.2  Knowledge  (Perception)  Failure:  We  need  experience,  training,  or  previous 
exposure  to  certain  complex  environments  in  order  to  know  what  it  is  we  are  looking  at, 
touching,  hearing  etc.  An  obvious  example  is  the  need  for  a  specific  underlying  knowledge  to 
understand  a  foreign  language.  A  person  that  hasn’t  flown  may  not  be  able  to  form  a  correct 
perception  of  aircraft  attitude  and  location  in  space  by  observing  a  conventional  aircraft 
instrumentation  display.  In  other  words,  they  lack  the  knowledge  necessary  to  form  a  correct 
perception.  Does  the  operator  or  crew  have  the  necessary  underlying  knowledge  to  perceive 
the  situation?  If  not,  this  is  a  failure  in  KNOWLEDGE  -  PERCEPTION. 

Pre-conditions  for  a  Knowledge  -  Perception  failure:  some  or  all  of  the 
following  pre-conditions  (latent  factors  both  immediate  and  remote)  may  or  may  not 
be  present.  Factors  other  than  those  following  may  also  be  present. 

Selection:  the  selection  system  failed  to  screen  out  personnel  lacking  the 
basic  aptitudes  (perceptual,  language,  mathematical,  etc.)  that  would  allow 
the  situation  to  be  correctly  perceived. 

Training:  the  crew  or  crewmember  possessed  the  aptitudes  (perceptual, 
language,  mathematical,  etc.)  and  physical  capabilities  but  lacked  the 
baseline,  task  or  system  specific  knowledge  required  to  correctly  assess  the 
situation. 

CURRENCY:  the  operator  was  once  trained  to  standard  but  skills  have 
degraded  over  time  and  have  not  been  refreshed. 

Qualification  and  Authorization:  the  crew  was  not  qualified  and/or 
authorised  to  conduct  the  activity. 

Objectives:  are  the  task  objectives  consistent  with  the  knowledge  of 
personnel  who  are  expected  to  carry  out  the  activities? 

FORMING  Intent:  were  the  requirements  of  the  mission  appropriate  for  the 
organization. 

Communicating  Intent:  was  the  intent  of  the  tasking  understood. 

Monitoring  and  Supervision:  in  authorising  an  activity,  supervisors 
have  a  responsibility  to  ensure  that  operators  are  qualified,  current  and  have 
the  requisite  knowledge  to  carry  out  the  task. 

PROVISION  OF  Resources:  were  adequate  human  resources  available  in 
terms  of  properly  qualified  personnel? 
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ORGANIZATIONAL  Process:  the  organization  must  ensure  that  relevant 
standards  have  been  established,  qualified  personnel  have  been  trained  to  and 
assessed  against  those  standards,  and  have  maintained  their  currency. 

MISSION:  the  mission  exceeds  the  capability  of  the  organization. 

OVERSIGHT:  were  systemic  deficiencies  in  selection,  training,  tasking  and 
authorization  procedures  known  and  was  corrective  action  taken? 

If  the  answer  to  the  question  “. .  .did  the  operator  or  crew  had  the  pre-requisite  capability, 
knowledge  or  skills  required  to  sense  and  perceive  the  situation?”  is  YES,  then  there  has  been 
a  breakdown  in  situation  assessment. 

Was  the  perceived  TIME  PRESSURE  (How  much  time  you  think  it  will  take  you  to  process 
all  the  information  divided  by  The  amount  of  time  that  you  think  is  available  before  you  have 
to  action  the  decision)  excessive  (more  than  1 00%  although  people  usually  start  to  have 
problems  above  80%)?  Ask  yourself  “. .  .if  there  had  seemed  to  be  more  time  available,  would 
the  outcome  have  been  different?” 

If  the  answer  is  NO  then  time  pressure  was  NOT  a  factor  and  the  failure  has  been 
PERCEPTUAL,  ATTENTIONAL  or  in  human-human  or  human-machine 
COMMUNICATION 

Was  the  INFORMATION:  illusory  or  ambiguous? 

If  the  answer  is  YES  then  the  failure  is  PERCEPTUAL. 

3.3.1  PERCEPTUAL  Failure:  The  information  was  available  but  could  be  interpreted  more 
than  one  way.  There  was  a  failure  in  PERCEPTION.  In  other  words,  all  relevant  sources  of 
information  were  attended  to,  but  an  incorrect  perception  was  formed  due  to  illusory  or 
ambiguous  information. 

Pre-conditions  for  a  failure  in  Perception:  some  or  all  of  the  following  pre¬ 
conditions  (latent  factors  both  immediate  and  remote)  may  or  may  not  be  present. 
Factors  other  than  those  following  may  also  be  present. 

Psychological:  the  perceptual  system  can  be  fooled  by  illusory 
information  (visual,  aural,  other)  including  those  inputs  that  lead  to  spatial 
disorientation. 

PHYSIOLOGICAL:  vehicle  motion  can  set  the  fluids  of  semi-circular  canals  in 
motion.  This  can  generate  incorrect  perceptions  of  spatial  orientation. 

TRAINING:  some  of  the  more  common  illusory  situations  can  be  trained  for. 
One  can  learn  to  suppress  conflicting  vestibular  cues,  strategies  for  the  black 
hole  effect,  compensation  for  sloping  runways  or  terrain  effects  on  approach. 

EQUIPMENT:  Ambiguous  displays  of  information  (visual,  auditory,  other)  can 
lead  to  misperceptions. 

ENVIRONMENT:  Poor  lighting,  glare  or  noisy  environments  can  contribute  to 
the  ambiguity  of  the  situation  by  making  important  information  less 
detectable. 
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Perceptual  Information  Processing  Biases:  these  biases  shape  how 
we  weight  the  information  we  receive  from  the  world  (these  are  present  in  the 
absence  of  time  pressure  but  become  more  dominant  as  time  pressure 
increases).  They  are  not  brain  failures  but  represent  time  efficient  strategies 
for  human  problem  solving.  However,  they  can  let  us  down  due  to  the  way 
they  filter  the  available  information.  Here  are  some  examples: 

•  Availability:  the  probability  of  an  event  occurring  is  evaluated  by  the  ease 
with  which  relevant  instances  come  to  mind.  In  general,  frequent  events 
are  easier  to  recall  or  imagine  than  infrequent  ones  and  therefore  .we 
think  they  are  more  likely  to  occur. 

•  Ignoring  prior  probabilities  -  ignoring  the  base  rate  or  underlying 
probabilities  of  a  particular  situation  (e.g.,  fog  in  the  region  at  this  time  of 
year,  excessive  downdrafts  with  the  wind  from  a  particular  quarter) 

•  Intuitive  statistician:  humans  tend  to  overestimate  the  likelihood  of 
occurrence  of  low  probability  events,  and  underestimate  the  occurrence  of 
high  probability  events. 

•  Anchoring  -  the  tendency  for  the  order  in  which  information  is  gathered 
to  guide  (or  anchor)  the  interpretation  of  the  situation.  If  the  information 
is  simple  we  tend  to  weight  the  information  received  first  most  heavily,  if 
it  is  complex  we  tend  to  weight  the  most  recently  received  information 
most  heavily. 

•  As-if  bias  -  people  tend  to  weight  all  data  as  equally  important  to  the 
decision  process  even  if  they  are  not. 

•  Representativeness  heuristic  -  the  tendency  to  assume  that  a  situation  that 
has  similar  characteristics  to  something  you  have  experienced  before,  is 
indeed  the  same. 

•  Expectation  -  our  perceptions  are  shaped  by  what  we  expect  or  do  not 
expect  (e.g.,  if  you  are  cleared  to  land  [expectation  is  that  the  runway  is 
clear],  you  would  not  expect  to  see  another  aircraft  occupying  the 
runway). 

Monitoring  and  Supervision:  have  inadequacies  in  equipment  or 
environment  been  reported  and  has  follow  up  action  been  initiated? 

Organizational  Process:  is  there  a  process  for  handing  reports  of 
hazardous  or  unsatisfactory  equipment  and  environments? 

Organizational  Climate:  are  conditions  that  effect  safe  operations  duly 
investigated  and  corrected? 

OVERSIGHT:  have  systemic  deficiencies  in  training,  equipment  or  operating 
environment  been  recorded  and  has  correcting  action  been  taken? 

Was  the  INFORMATION:  available  and  correct?  This  means  that  there  is  a  reasonable 
expectation  that  the  information  could  be  perceived  correctly  if  attended  to. 

If  the  information  is  available  and  correct  then  the  failure  is  ATTENTIONAL. 


DRDC  Toronto  TR  2002-057 


77 


3.3.2  ATTENTIONAL  FAILURE:  If  so,  then  the  failure  is  to  ATTEND  to  and  assimilate  relevant 
information  that  was  present  or  accessible.  This  does  not  include  situations  where  the 
information  is  displayed  poorly  (information  illusory  or  ambiguous)  or  where  critical  cues  are 
missing  (information  incorrect  or  missing). 

PRE-CONDITIONS  for  a  failure  to  ATTEND:  some  or  all  of  the  following  pre¬ 
conditions  (latent  factors  both  immediate  and  remote)  may  or  may  not  be  present. 
Factors  other  than  those  following  may  also  be  present. 

Physiological:  fatigue,  drowsiness. 

PSYCHOLOGICAL:  various  psychological  factors  can  contribute  to 
attentional  failures.  For  example:  vigilance  decrement,  distraction,  failure  to 
use  all  available  resources  due  to  lack  of  motivation,  or  complacency. 
Distraction  and  Life  Stress:  factors  external  to  the  primary  task  that  compete 
for  attention  (prolonged  extraneous  conversation,  financial  concerns, 
domestic  problems,  forthcoming  exams  or  a  meeting,  a  purchase  etc.).  While 
your  attention  is  turned  to  these  external  events  it  is  not  available  to  apply  to 
the  primary  task.  These  are  pervading  factors  that  act  over  extended  periods 
of  time  during  the  performance  of  the  task.  They  are  not  momentary 
distracters  due  to  an  alarm,  a  loud  noise,  or  a  brief  flash  in  the  visual  field. 
Mental  fatigue:  weariness  felt  after  long  periods  of  intense  mental  activity 
and  sustained  attention  that  affects  the  ability  to  concentrate  on  the  task  at 
hand. 

Information  Processing  Biases:  Attentional  information  processing 
biases  shape  what  we  attend  to  (they  are  present  in  the  absence  of  time 
pressure  but  become  more  dominant  as  time  pressure  increases).  They  are 
not  brain  failures  but  represent  time  efficient  strategies  for  human  problem 
solving.  However,  they  can  let  us  down  as  they  filter  the  available 
information.  Here  are  some  examples: 

•  Salience  -  we  are  hard  wired  to  attend  to  and  place  higher  emphasis 
on  information  associated  with  loud  sounds,  bright  lights,  motion  and 
position  in  our  visual  fields  (in  our  central  field,  at  the  top  of  displays 
etc.).  Highly  salient  cues  can  direct  attention  away  from  more 
important  information. 

•  Confirmation  bias  -  the  tendency  to  seek  out  information  that 
confirms  our  initial  assessment  rather  than  information  that  is 
contrary. 

SOCIAL:  peer  pressure  may  make  people  extend  the  recommendations  of 
established  work-rest  schedules.  A  lack  of  cohesiveness  in  a  team  can  lead  to 
reduced  motivation  and  social  loafing  with  reduced  information  seeking 
behaviour.  Over  confidence  within  the  team  may  result  in  complacency  with 
a  resultant  restriction  in  the  locus  of  attention. 

PERSONAL  Readiness:  leaving  life  stresses  behind  (these  are  distracters  that 
consume  attentional  resources),  reporting  to  work  well  rested. 
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TIME  Pressure:  sustained  operation  in  a  situation  of  excessive  time 
pressure  leads  to  chronic  fatigue.  Alternatively,  the  use  of  human  operators 
in  tasks  that  require  sustained  vigilance  for  long  periods  of  time  (more  than 
20-30  minutes  at  a  time)  will  result  in  predictable  decrements  in  performance. 

Equipment:  badly  placed  displays  may  reduce  the  likelihood  that  they  will 
be  attended  to. .  .they  are  outside  the  normal  scanning  pattern. 

ENVIRONMENT:  high  noise  or  high  vibration  environments  contributes  to 
operator  fatigue. 

Monitoring  and  Supervision:  was  chronic  fatigue  detected  amongst 
operators  and  was  this  information  passed  up  the  chain. 

Organizational  Processes  and  Practices:  are  there  processes  in 
place  for  monitoring  the  state  of  the  operators  and  correcting  the  task 
objectives  if  necessary?  Are  scheduling  guidelines  in  place  that  account  for 
known  human  capabilities  and  limitations? 

PROVISION  OF  Resources:  are  sufficient  personnel  resources  available  to 
allow  appropriate  work-rest  schedules? 

Organizational  Climate:  are  work-rest  schedules  respected  or  are 
people  expected  to  put  in  the  extra  effort? 

OVERSIGHT:  were  systemic  problems  with  operator  fatigue  known  and  was 
corrective  action  taken? 

Was  the  INFORMATION:  unavailable  or  incorrect?  This  means  that  it  could  not  reasonably 
be  expected  that  the  information  could  be  correctly  obtained  and  assimilated  even  if  due 
attention  was  paid.  It  is  not  that  the  information  is  ambiguous,  but  rather  that  it  is  absent. 

In  this  case  the  failure  is  in  COMMUNICATION. 

3.3.3  Communication  Failure:  In  this  case  the  failure  is  in  Communication:  between 
machine  and  human,  or  human  and  human  including  a  failure  to  pass  relevant  information,  or 
passing  incorrect  information. 

Pre-conditions  for  a  failure  in  Communication:  some  or  all  of  the  following 
pre-conditions  (latent  factors  both  immediate  and  remote)  may  or  may  not  be  present. 
Factors  other  than  those  following  may  also  be  present. 

PSYCHOLOGICAL:  Human  team  members  may  have  incorrect  perceptions  of 
a  situation,  or  may  retrieve  the  wrong  information  from  memory.  This  can 
result  in  the  incorrect  information  being  passed  to  the  person  or  persons 
involved  in  committing  the  unsafe  act. 

SOCIAL:  certain  factors  will  influence  the  willingness  of  team  members  to 
communicate  freely  and  openly.  For  example:  their  commitment  to  the  team, 
the  level  of  trust  and  respect,  and  the  authority  gradient  will  affect  their 
receptiveness  to  receive  information  (calibrate  their  mental  models)  and  their 
willingness  to  communicate  information. 
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EQUIPMENT:  human-machine  communication  will  be  degraded  by 
inadequate  displays  of  information  (lacking  necessary  cues)  or  displays  that 
provide  incorrect  information. 

ENVIRONMENT:  Poor  lighting,  glare  or  noisy  environments  can  mask 
information  and  prevent  it  from  being  communicated. 

MONITORING  and  Supervision:  have  inadequacies  in  team  working, 
equipment  or  environment  been  reported  and  has  follow  up  action  been 
initiated? 

Organizational  Process:  is  there  a  process  for  handing  reports  of 
hazardous  or  unsatisfactory  team  working,  equipment  and  environments? 

Organizational  Climate:  are  conditions  that  effect  safe  operations  duly 
investigated  and  corrected. 

OVERSIGHT:  were  systemic  problems  in  team  working,  equipment  or 
environment  known  and  corrective  action  taken. 

If  the  answer  to  the  question  “. .  .did  the  operator  or  crew  had  the  pre-requisite  capability, 
knowledge  or  skills  required  to  sense  and  perceive  the  situation?”  is  YES,  then  there  has  been 
a  breakdown  in  situation  assessment. 

Was  the  perceived  TIME  PRESSURE  (How  much  time  you  think  it  will  take  you  to  process  all 
the  information  divided  by  The  amount  of  time  that  you  think  is  available  before  you  have  to 
action  the  decision )  excessive  (more  than  1 00%  although  people  usually  start  to  have 
problems  above  80%)?  Ask  yourself  “. .  .if  there  had  seemed  to  be  more  time  available,  would 
the  outcome  have  been  different?” 

If  the  answer  is  YES  then  the  perceived  time  pressure  was  excessive  and  there  has  been  a 
breakdown  in  the  time-attention  trade-off.  It  is  the  time  pressure  at  the  point  of  failure  —  that 
is,  at  the  time  when  the  critical  decision  was  processed  —  that  is  crucial  although  prolonged 
exposure  to  excessive  time  pressure  can  lead  to  chronic  fatigue  that  can  contribute  to  other 
failures.  When  the  time  pressure  is  excessive,  the  failure  has  either  been  ATTENTIONAL  or  in 
the  use/non-use  of  Time  Management  strategies. 

3.4.1  ATTENTIONAL  FAILURE:  A  failure  in  ATTENTION  due  to  excessive  demands  in  the 
time  domain  is  a  result  of  a  breakdown  in  the  time-attention  trade-off.  To  know/perceive  you 
must  attend,  and  to  attend  you  must  have  time. 

Pre-conditions  for  a  failure  in  Attention  due  to  excessive  demands  in  the  time 
domain:  some  or  all  of  the  following  pre-conditions  (latent  factors  both  immediate 
and  remote)  may  or  may  not  be  present.  Factors  other  than  those  following  may  also 
be  present. 

TIME  PRESSURE:  insufficient  time  to  attend  to  all  necessary  information. 

The  task  uses  too  much  of  the  timeline  (>80%).  Even  with  an  effective  time 
management  strategy  there  would  be  insufficient  time  to  attend  to  all  the 
critical  information. 

PHYSIOLOGICAL:  physiological  conditions  such  as  fatigue,  effects  of 
pharmacological  and  toxicological  agents  can  slow  information  processing, 
increasing  decision  times  and  occupying  the  timeline.  This  will  increase  the 
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time  pressures  experienced.  If  these  factors  were  not  operating,  time  pressure 
would  have  been  acceptable. 

PSYCHOLOGICAL:  Mental  fatigue:  a  weariness  felt  after  long  periods  of 
intense  mental  activity  and  sustained  attention  that  affects  the  ability  to 
concentrate  on  the  task  at  hand. 

TRAINING:  deficiencies  in  baseline  knowledge  mean  that  what  should  be  fast 
skill-based  problem  solving  becomes  slower  rule-  or  knowledge-based 
problem  solving.  Decisions  take  longer  for  the  inadequately  trained  operator 
and  time  pressure  increases  accordingly. 

EQUIPMENT:  equipment  that  is  difficult  or  awkward  to  use,  or  otherwise  has 
a  poor  operator  interface,  can  slow  up  the  performance  of  the  task  to  the  point 
where  the  time  pressure  becomes  elevated. 

ENVIRONMENT:  environmental  variables  such  as  glare,  vibration,  noise  can 
increase  the  times  required  to  assimilate  information  leading  to  increased  time 
pressure. 

Monitoring  and  Supervision:  managers  and  supervisors  need  to  be 
aware  of  tasks  that  impose  excessive  time  pressures  and  initiate  corrective 
action. 

PROVISION  OF  Resources:  lack  of  resources,  ‘doing  more  with  less’,  can 
lead  to  excessive  tempos. 

MISSION:  inappropriate  for  the  resources  available. 

Oversight:  was  it  known  that  there  were  systemic  problems  with  excessive 
time  pressure  at  the  task  level,  and  was  corrective  action  taken? 

3.4.2  Time  management  Failure:  A  failure  in  Time  management  is  due  to  an  incorrect 
or  inappropriate  prioritisation  of  attention.  Would  a  different  sampling  strategy  have  helped? 
There  are  essentially  two  strategies  for  managing  excessive  time  pressure.  One  strategy  is  to 
make  the  task  less  difficult  (meaning  less  information  to  process)  by  delegating,  postponing, 
shedding  activities  or  otherwise  making  the  task  less  complex,  a  second  strategy  is  to  extend 
the  time  before  you  have  to  action  the  decision  (slowing  the  task  tempo).  Did  the  operator  or 
crew  attempt  to  manage  the  timeline?  Was  the  employed  strategy  effective  and  were  there 
better  strategies? 

PRE-CONDITIONS  for  a  failure  in  Time  MANAGEMENT:  some  or  all  of  the  following 
pre-conditions  (latent  factors  both  immediate  and  remote)  may  or  may  not  be  present. 
Factors  other  than  those  following  may  also  be  present. 

TRAINING:  part  of  the  training  process  involves  learning  what  is  important 
and  what  can  be  ignored,  and  methods  for  controlling  the  tempo.  An 
effective  time  management  strategy  depends  on  this  knowledge. 

TIME  Pressure:  task  tempos  that  are  inherently  high  generate  high  time 
pressures  and  routinely  require  the  use  of  effective  time  management 
strategies. 
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Monitoring  and  Supervision:  managers  and  supervisors  need  to  be 
aware  of  tasks  that  impose  excessive  time  pressures  and  ensure  that  training  is 
appropriate. 

PROVISION  OF  Resources:  resources  for  training  to  the  required  level 
should  be  available. 

MISSION:  inappropriate  for  the  resources  available.  The  mission  should  be 
compatible  with  the  current  capabilities  of  all  operators. 

Oversight:  were  task  temps  routinely  excessive,  and  was  corrective  action 
taken. 
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STEP  4  (What  was  the  goal?) 

Consider  what  the  operator  or  crew  was  intending  to  do.  What  was  the  GOAL? 


In  the  following  text,  the  paragraph  numbers  match  the  numbers  associated  with  each  point  of 
active  failure. 


Was  the  GOAL  consistent  with  rules,  regulations  and  SOPs,  and  was  it  also  consistent  with 
good  risk  management? 

4.1  No  FAILURE  IN  Intent:  if  the  answer  is  YES,  you  would  exit  this  branch  with  “no 
failure  of  intent”  and  move  on  to  what  the  crew  thought  was  happening  (PERCEPTION)  or 
what  they  were  trying  to  do  about  it  (ACTION). 

But  if  the  answer  to  any  of  these  questions  is  NO,  then  there  has  been  a  failure  in  INTENT  and 
you  would  need  to  look  at  the  following  possibilities. 

The  unsafe  act  resulted  from  exercising  a  goal  that  was  inconsistent  with  Rules  and 
Regulations.  This  is  a  failure  of  INTENT  (VIOLATION). 

Was  it  a  ROUTINE  VIOLATION  or  an  EXCEPTIONAL  VIOLATION? 
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4.2.1  ROUTINE  Violation:  A  ROUTINE  VIOLATION  tends  to  be  routine/habitual  by 
nature  and  is  a  part  of  the  individual's  normal  behaviour.  This  is  often  thought  of  as 
“bending”  the  rules.  These  violations  are  often  tolerated  and,  in  effect,  sanctioned  by 
supervisory  authority.  By  definition,  if  a  routine  violation  is  identified,  one  must  look  further 
up  the  supervisory  chain  to  identify  those  that  are  condoning  the  violations.  Failures  of  Intent 
that  result  in  violations  do  not  require  that  the  operator  knowingly  broke  the  rules. 

Pre-conditions  for  a  failure  of  Intent  (routine  violation):  some  or  all  of  the 
following  pre-conditions  (latent  factors  both  immediate  and  remote)  may  or  may  not 
be  present.  Factors  other  than  those  following  may  also  be  present. 

TRAINING:  lack  of  familiarity  with  the  Rules  and  Regulations  (“. .  .1  didn’t 
know  I  was  doing  anything  wrong”) 

PSYCHOLOGICAL:  certain  attitudinal  states  (e.g.,  anti-authoritarianism,  group 
think)  may  result  in  personnel  being  more  prone  to  tolerating  routine 
violations. 

SOCIAL:  various  social  pressures  (e.g.,  peer  pressure,  poor  leadership)  may 
contribute  to  routine  rule  breaking  behaviour. 

Qualilication  and  Authorization:  were  the  crew  qualified  and 
authorized  to  conduct  the  activity? 

TIME  PRESSURE:  systemic  excessive  time  pressure  may  cause  operators  to 
look  for  short  cuts  that  get  around  the  constraints  of  the  Rules  and 
Regulations. 

Objectives:  were  the  objectives  for  the  task  consistent  with  the 
communicated  intent? 

FORMING  Intent:  was  the  intent  of  the  activity  clearly  defined  and  in 
accordance  with  the  organization’s  Rules  and  Regulations? 

Communicating  Intent:  was  the  intent  of  the  activity  clearly 
communicated  and  understood? 

Monitoring  and  Supervision:  somewhere  the  command  and 
controFsupervision  chain  has  failed  to  detect  and  or  correct  systemic 
behaviours  that  deviate  from  the  Rules  and  Regulations. 

Organizational  Climate  the  organization  doesn’t  act  in  accordance  with 
values  based  on  safe  operation,  adherence  to  the  rules  etc.  It  doesn’t  reward 
those  who  try  to  keep  these  values,  for  example,  the  organization  values  and 
rewards  ‘getting  the  job  done’  above  all  else. 

RULES  and  Regulations:  rules  and  regulations  form  the  constraints  within 
which  the  task  must  be  performed.  Are  they  consistent  with  achieving  the 
stated  objectives? 

OVERSIGHT:  was  rule  breaking  endemic,  was  this  known,  and  was  correcting 
action  taken  or  was  this  behaviour  condoned. 

4.2.2  EXCEPTIONAL  Violation:  Exceptional  violations  are  isolated  departures  from 
authority  and  not  necessarily  typical  of  an  individual’s  behaviour  pattern.  Usually, 
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management  does  not  condone  this  behaviour.  It  is  important  to  note  that  while  most 
exceptional  violations  are  flagrant,  they  are  not  considered  ‘exceptional’  because  of  their 
extreme  nature.  Rather,  they  are  considered  exceptional  because  they  are  neither  typical  of 
the  individual  nor  condoned  by  authority.  Failures  of  Intent  that  result  in  violations  do  not 
require  that  the  operator  knowingly  broke  the  rules. 

Pre-conditions  for  a  failure  in  Intent  (exceptional  violation):  some  or  all 
of  the  following  pre-conditions  (latent  factors  both  immediate  and  remote)  may  or 
may  not  be  present.  Factors  other  than  those  following  may  also  be  present. 

TRAINING:  lack  of  familiarity  with  the  Rules  and  Regulations  (“. .  .1  didn’t 
know  I  was  doing  anything  wrong”). 

Psychological  States:  certain  attitudinal  states  (e.g.,  excessive 
motivation  to  achieve  the  task)  may  result  in  an  operator  being  more  prone  to 
an  exceptional  violation. 

Information  Processing  Biases:  limit  the  information  attended  to,  how 
it  is  perceived  and  the  actions  that  come  from  the  decision  making  process. 
The  intent  may  not  have  been  evaluated  for  potential  violations. 

SOCIAL:  various  social  pressures  (e.g.,  trans-cockpit  or  rank  gradient,  peer 
pressure,  poor  leadership)  may  contribute  to  rule  breaking  behaviour. 

Qualification  and  Authorization:  were  the  crew  qualified  and 
authorized  to  conduct  the  activity? 

TIME  PRESSURE:  excessive  time  pressure  may  cause  operators  to  look  for 
short  cuts  that  get  around  the  constraints  of  the  Rules  and  Regulations. 

Objectives:  were  the  objectives  for  the  task  consistent  with  the 
communicated  intent? 

FORMING  Intent:  was  the  intent  of  the  activity  clearly  defined  and  in 
accordance  with  the  organization’s  Rules  and  Regulations? 

Communicating  Intent:  was  the  intent  of  the  activity  clearly 
communicated  and  understood? 

Monitoring  and  Supervision:  supervision  should  ensure  that  the  team  is 
qualified  and  authorised  to  perform  the  task  and  has  planned  an  activity  in 
accordance  with  the  Rules  and  Regulations. 

RULES  and  Regulations:  rules  and  regulations  form  the  constraints  within 
which  the  task  must  be  performed.  Are  they  consistent  with  achieving  the 
stated  objectives? 

Did  the  unsafe  act  result  from  exercising  a  goal  that,  although  consistent  with  Rules  and 
Regulations,  was  not  consistent  with  established  operating  procedures  or  did  not  manage  or 
bound  the  risk  (the  observed  unsafe  behaviour  stemmed  from  a  risky  rather  than  conservative 
goal)? _ 

If  so,  there  was  a  failure  in  INTENT  (NON  VIOLATION). 

4.3.1  Intent  (non-violation)  Failure:  For  a  goal  to  be  classified  as  a  failure  of  Intent 
(non  violation),  the  perception  of  the  situation  must  be  correct  and  you  have  to 
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intentionally  choose  the  risky  option  (you  may  or  may  not  have  fully  evaluated  the  risk).  If 
there  is  no  conservative  option  that  will  satisfy  the  task  objectives,  one  would  need  to  look  to 
the  task  objectives  and  the  mission  requirements  for  the  pre-conditions  that  have  created  this 
situation. 

Pre-conditions  for  a  failure  of  Intent  (non  violation):  some  or  all  of  the 
following  pre-conditions  (latent  factors  both  immediate  and  remote)  may  or  may  not 
be  present.  Factors  other  than  those  following  may  also  be  present. 

Psychological:  certain  attitudinal  states  (e.g.,  excessive  motivation  to 
achieve  the  task,  overconfidence)  may  result  in  an  operator  being  more  prone 
to  choosing  risky  behaviour  and  less  prone  to  fully  evaluating  the  risk. 

INLORMATION  PROCESSING  BIASES:  limit  the  information  attended  to,  how 
it  is  perceived  and  the  actions  that  come  from  the  decision  making  process. 
The  goal  choice  may  not  have  been  evaluated  for  risk.  More  conservative 
goals  may  not  have  been  formulated  for  comparison  with  the  chosen  course. 

TRAINING:  There  was  a  lack  of  familiarity  with  safe  practices  and  risk 
management  strategies. 

Qualification  and  Authorization:  were  the  crew  qualified  and 
authorized  to  conduct  the  activity? 

OBJECTIVES:  do  the  objectives  of  the  task  inherently  involve  high  risk? 

FORMING  Intent:  was  the  intent  of  the  activity  clearly  defined  at  the 
Command,  Control  and  Supervisory  level  and  did  it  balance  risk  against 
benefit? 

Communicating  Intent:  was  the  intent  of  the  activity  clearly 
communicated  at  the  Command,  Control  and  Supervisory  level  and 
understood? 

Monitoring  and  Supervision:  supervision  should  ensure  that  the  team  is 
qualified  and  authorised  to  perform  the  task  and  has  planned  an  activity  in 
accordance  with  safe  practices  and  appropriate  risk  management  criteria. 

MISSION:  the  mission  exceeds  the  capability  of  the  organization. 

Rules  and  Regulations:  do  the  Rules  and  Regulations  adequately 
manage  foreseeable  risk? 

Organizational  Process  and  Practices:  does  the  organization  have 
SOPs  and  formal  risk  management  processes  in  place? 

Organizational  Climate:  does  the  organization  tolerate  high  risk  as  a 
matter  of  course? 

OVERSIGHT:  was  it  known  that  established  risk  management  procedures 
were  not  being  used  routinely,  and  was  corrective  action  taken? 
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STEP  5  (What  was  the  action?) 

Consider  how  the  operator  or  crew  was  trying  to  achieve  the  Goal.  What  was  the  ACTION? 


ACTION 

“How  was  the  operator 
trying  to  achieve  the 
goal(s)?” 


5.1 

No  failure  in 
action  selection 


Inability  to 
respond  C 

Baseline  or 
temporary 
capability  failure 

Knowledge  ^ 

failure  -  ^ 

_  decision  V*1 


^  5.5.1  L 

ssJlips,  lapses  anc 
^.mode  errors  r 


ACTION 

Implemented  as 
intended? 


ACTION 

Correct  or 
adequate? 


Failure  in  action  selection 


Failure  in 
action 
execution 


5.5.2 

Feedback 

failure 


CAPABILITY 

Had  the  pre-requisite 
capability  to  make  a 
response? 


Time 

management 
l _ _  failure  _ _ 5 


Failure  in 
attention-time 
trade-off  r* 


TIME  PRESSURE  YES 

Time  pressure 
excessive? 
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Action  selection  | 
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Failure  in  the 
decision  making 
process 
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failure 
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Feedback 
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In  the  following  text,  the  paragraph  numbers  match  the  numbers  associated  with  each  point  of 
active  failure. 

Was  the  action  (including  an  intended  no  action),  correct  and  adequate  to  achieve  the  goal  in 
an  appropriate  (i.e.,  converging  on  the  GOAL)  and/or  timely  fashion? 

5.1  No  Failure  in  Action:  If  the  answer  is  YES,  then  you  would  exit  this  branch  with  “no 
failure  of  action”  and  move  on  to  what  the  crew  thought  was  happening  (PERCEPTION)  or 
what  they  were  trying  to  achieve  (GOAL). 

But  if  the  answer  to  any  of  these  questions  is  NO,  then  there  has  been  a  failure  in  ACTION 
selection  or  execution. 

Now  ask  if  the  action  that  occurred  was  the  intended  action  or  not.  Their  action  may  not  have 
had  the  intended  results,  but  did  they  do  what  they  intended  to  do? 

Suppose  the  crew  implemented  the  intended  action  to  the  perceived  situation  (including  no 
action  if  this  was  the  intended  response),  but  the  action  selected  (including  an  intended  no 
action)  was  incorrect,  was  inadequate  for  achieving  the  goal  in  an  appropriate  and/or  timely 
fashion,  or  the  selected  action  didn’t  manage  risk. 

Did  the  operator  or  crew  have  the  pre-requisite  capability,  knowledge  or  skills  required  to 
form  and  implement  an  appropriate  action  to  the  situation? 

If  the  answer  is  NO  then  the  failure  must  be  either  in  the  KNOWLEDGE  -  DECISION  required 
to  form  the  response  or  in  the  capabilities  required  to  RESPOND  to  the  situation  (i.e.,  to 
implement  the  action). 

5.2.1  Response  Failure:  A  failure  in  the  capability  to  respond  is  a  failure  in  the 
capability  to  implement  the  action  rather  than  in  not  knowing  what  to  do. 

PRE-CONDITIONS  for  a  failure  to  RESPOND:  some  or  all  of  the  following  pre¬ 
conditions  (latent  factors  both  immediate  and  remote)  may  or  may  not  be  present. 
Factors  other  than  those  following  may  also  be  present. 

PHYSICAL  Capability:  the  crew  or  crewmember  either  permanently  or 
temporarily  lacked  the  physical  capability  to  implement  the  action. 
Insufficient  strength  or  endurance  may  make  an  operator  temporarily  or 
permanently  unable  to  implement  the  required  actions. 

Selection:  the  selection  system  failed  to  screen  out  personnel  lacking  the 
basic  physical  capabilities  (strength,  reach,  vocalization  effort,  etc.)  that 
would  allow  the  action  to  be  implemented. 

PHYSIOLOGICAL:  physical  injury  or  other  physiological  factors  (e.g.,  cold 
exposure,  heat  stress). 

PERSONAL  Readiness:  certain  personal  readiness  factors  may  contribute  to 
an  inability  to  implement  the  action  (e.g.,  muscle  strains  or  injuries  obtained 
outside  the  work  environment,  not  having  required  protective  equipment  on 
hand). 

Qualification  and  Authorization:  were  the  crew  qualified  and 
authorized  to  conduct  the  activity? 
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OBJECTIVES:  are  the  task  objectives  consistent  with  the  physical  capabilities 
of  personnel  who  are  expected  to  carry  out  the  activities,  or  the  performance 
of  the  equipment  provided  for  the  task? 

EQUIPMENT:  poor  design  or  a  failure  in  the  equipment  (e.g.,  power 
assistance)  makes  the  action  impossible  for  some  or  all  qualified  operators. 
Various  items  of  personal  equipment  may  interfere  with  the  ability  to 
implement  the  response  (gloves,  masks,  harnesses  etc.). 

WORKSPACE:  constraints  within  the  workspace  may  make  the  required 
response  difficult  or  impossible  for  certain  members  of  the  population,  for 
example,  physical  obstructions,  cramped  working  conditions. 

ENVIRONMENT:  certain  environmental  factors  such  as  noise,  g-loading, 
temperature,  or  vibration  may  make  it  difficult  or  impossible  to  implement 
the  action. 

Monitoring  and  Supervision:  in  authorising  an  activity,  supervisors 
have  a  responsibility  to  ensure  that  operators  are  qualified  and  are  capable  of 
doing  the  job. 

ORGANIZATIONAL  Process:  the  organization  must  ensure  that  relevant 
standards  have  been  established,  and  that  qualified  personnel  have  been 
selected  against  those  standards. 

PROVISION  OF  Resources:  were  adequate  materiel  and  human  resources 
available? 

OVERSIGHT:  were  systemic  deficiencies  in  selection  standards  known  and 
was  corrective  action  taken? 

5.2.2  Knowledge  (decision)  Failure:  A  failure  in  Knowledge  -  decision  is  a  failure 
in  knowing  how  to  respond  appropriately  and  in  a  timely  fashion,  rather  than  having  the 
capability  to  implement  the  action. 

Pre-conditions  for  a  failure  in  Knowledge  (decision):  some  or  all  of  the 
following  pre-conditions  (latent  factors  both  immediate  and  remote)  may  or  may  not 
be  present.  Factors  other  than  those  following  may  also  be  present. 

Selection:  the  selection  system  failed  to  screen  out  personnel  lacking  the 
basic  abilities  (aptitude,  problem  solving  abilities,  etc.)  that  would  allow  an 
action  to  be  formed. 

TRAINING:  the  crew  or  crewmember  had  the  basic  abilities  but  lacked  the 
task  specific  knowledge  required  to  form  an  action. 

Currency:  skills  have  degraded  over  time  and  have  not  been  refreshed. 

Qualification  and  Authorization:  were  the  crew  qualified  and 
authorized  to  conduct  the  activity? 

Monitoring  and  Supervision:  in  authorising  an  activity,  supervisors 
have  a  responsibility  to  ensure  that  operators  are  qualified  and  current. 
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ORGANIZATIONAL  Process:  the  organization  must  ensure  that  relevant 
standards  have  been  established,  qualified  personnel  have  been  trained  to  and 
assessed  against  those  standards,  and  have  maintained  their  currency. 

MISSION:  the  mission  exceeds  the  capability  of  the  organization. 

OVERSIGHT:  were  systemic  deficiencies  in  selection,  training,  tasking  and 
authorization  procedures  known  and  was  corrective  action  taken? 

Suppose  the  crew  implemented  the  intended  action  to  the  perceived  situation  (including  no 
action  if  this  was  the  intended  response),  but  the  action  selected  (including  an  intended  no 
action)  was  incorrect,  was  inadequate  for  achieving  the  goal  in  an  appropriate  and/or  timely 
fashion,  or  the  selected  action  didn’t  manage  risk. 

Did  the  operator  or  crew  have  the  pre-requisite  capability,  knowledge  or  skills  required  to 
form  and  implement  an  appropriate  action  to  the  situation?  If  the  answer  is  YES  then  was  the 
Time  Pressure  within  limits? 

Was  the  perceived  TIME  PRESSURE  (How  much  time  you  think  it  will  take  you  to  process  all 
the  information  divided  by  The  amount  of  time  that  you  think  is  available  before  you  have  to 
action  the  decision )  excessive  (more  than  1 00%  although  people  usually  start  to  have 
problems  above  80%)?  Ask  yourself  “. .  .if  there  had  seemed  to  be  more  time  available,  would 
the  outcome  have  been  different?” 

If  the  answer  is  NO  then  time  pressure  was  not  a  factor  and  the  failure  has  been  in  Action 
selection,  or  in  the  lack  of  Feedback. 

5.3.1  Action  Selection  Failure:  A  failure  in  Action  Selection  is  a  failure  in  the 
decision  process  due  to  shortcomings  in  action  selection,  rather  than  a 
misunderstanding/misperception  of  the  situation.  These  are  failures  to  formulate  the  right 
plan  rather  than  a  failure  to  carry  out  the  plan.  For  example: 

•  An  incorrect  or  inadequate  procedure  was  implemented  as  intended.  A  correct  or 
adequate  action  does  exist  in  memory  but  was  not  selected.  This  includes  an 
inappropriate  ‘no  action.’  For  example: 

•  Failures  in  knowledge-based  reasoning  due  to  working  memory  limitations,  or  processing 
biases. 

•  Failures  in  rule -based  (IF  ‘A’  then  ‘B’)  reasoning  where  once  the  IF  part  of  the  situation 
is  recognised  the  THEN  part  of  a  previously  used  rule  is  inappropriately  applied.  This 
typically  occurs  when  exceptions  to  rules  are  not  recognised. 

•  Failures  to  use  the  appropriate  technique,  but  only  if  the  operator  could  demonstrate  a 
correct  or  adequate  technique  under  other  circumstances. 

Pre-conditions  for  a  failure  in  Action  Selection:  some  or  all  of  the  following  pre¬ 
conditions  (latent  factors  both  immediate  and  remote)  may  or  may  not  be  present.  Factors 
other  than  those  following  may  also  be  present. 

PSYCHOLOGICAL:  limits  in  working  memory  capabilities  limit  our  ability  to 
manipulate  large  amounts  of  information  in  our  head.  This  can  lead  to  failures  in 
problem  solving  at  the  rule  and  knowledge  based  levels. 
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DECISION  Biases:  a  failure  in  the  decision  process  due  shortcomings  in  action 
selection.  These  biases  effect  action  selection  (they  are  present  in  the  absence  of 
time  pressure  but  become  more  dominant  as  time  pressure  increases).  They  are 
not  brain  failures  but  represent  time  efficient  strategies  for  human  problem 
solving.  However,  they  can  let  us  down  due  to  filtering  the  available  information. 
Here  are  some  examples: 

•  Availability  -  the  tendency  to  use  the  response  that  is  most  familiar  or  has 
been  used  recently. 

•  Over  confidence  -  people  in  general  are  more  confident  of  their  chosen 
course  of  action  than  is  reasonable  given  the  uncertainty  in  the  decision¬ 
making  enviromnent.  There  is  the  potential  to  close  off  the  search  for 
answers  before  all  available  evidence  can  be  collected  because  of 
overconfidence. 

•  First-to-fit:  the  selection  of  the  first  course  of  action  that  seems 
appropriate.  Operators  often  do  not  explore  a  complete  or  even  a  large 
set  of  options. 

•  Sunk  cost  bias  -  a  tendency  to  put  more  resources  into  a  process  that  you 
already  have  an  investment  in. 

•  Strategy  persistence  -  a  tendency  to  keep  doing  what  you  have  been 
doing  even  though  an  outside  observer  can  see  that  it  is  no  longer 
appropriate  (pressing  on). 

5.3.2  Feedback  Failure:  If  Feedback  is  not  present,  such  as  when  attention  is  shifted 
prematurely  (before  goal  achievement),  there  is  a  failure  in  error  correction.  These  include 
failures  to  backup,  crosscheck  or  monitor  to  ensure  that  the  goal  has  been  achieved. 

PRE-CONDITIONS  for  a  failure  in  FEEDBACK:  some  or  all  of  the  following  pre¬ 
conditions  (latent  factors  both  immediate  and  remote)  may  or  may  not  be  present. 
Factors  other  than  those  following  may  also  be  present. 

PHYSIOLOGICAL:  fatigue  may  result  in  a  loss  of  vigilance. 

PSYCHOLOGICAL:  vigilance  decrement  may  result  in  attention  shifting 
before  the  results  of  an  action  can  be  observed. 

SOCIAL:  the  authority  gradient  and  variables  such  as  assertiveness  and 
receptiveness  influence  the  extent  to  which  feedback  is  offered  and  used  for 
error  correction  within  the  team. 

Equipment:  controls  and  displays  must  give  feedback  to  show  the  system 
state. 

Monitoring  and  Supervision:  the  role  of  monitoring  and  supervision  is 
to  provide  error-correcting  feedback.  When  monitoring  and  supervision 
break  down,  there  is  no  error  correction  at  these  levels. 

Suppose  the  crew  implement  the  intended  action  to  the  perceived  situation  (including  no 
action  if  this  was  the  intended  response),  but  the  action  selected  (including  an  intended  no 
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action)  was  incorrect,  was  inadequate  to  achieve  the  goal  in  an  appropriate  and/or  timely 
fashion,  or  the  selected  response  didn’t  manage  risk. 

Did  the  operator  or  crew  have  the  pre-requisite  capability,  knowledge  or  skills  required  to 
form  and  implement  an  appropriate  action  to  the  situation?  If  the  answer  is  YES  then  was  the 
Time  Pressure  within  limits? 

Was  the  perceived  TIME  PRESSURE  (How  much  time  you  think  it  will  take  you  to  process  all 
the  information  divided  by  The  amount  of  time  that  you  think  is  available  before  you  have  to 
action  the  decision)  excessive  (more  than  1 00%,  usually  people  start  to  have  problems  above 
80%)?  Ask  yourself  .  .if  there  had  seemed  to  be  more  time  available,  would  the  outcome 
have  been  different?” 

If  the  answer  is  YES  then  time  pressure  was  a  factor  and  the  failure  has  been  in  ACTION 
SELECTION,  in  the  lack  of  FEEDBACK  or  in  the  TIME  MANAGEMENT  strategy.  This  is  a 
failure  in  the  time-attention  trade-off. 

5.4.1  Action  Selection  Failure:  A  failure  in  Action  Selection  is  a  failure  in  the 
decision  process  due  to  shortcomings  in  action  selection,  rather  than  a 
misunderstanding/misperception  of  the  situation.  These  are  failures  to  formulate  the  right 
plan  rather  than  a  failure  to  carry  out  the  plan.  There  is  insufficient  time  to  choose  a  correct  or 
adequate  course  of  action  from  memory  even  though  it  does  exist  or  would  likely  be  derived  if 
more  time  were  available.  There  is  no  time  to  generate  alternatives  and  test  them  mentally  for 
their  appropriateness. 

Pre-conditions  for  a  failure  in  Action  Selection  under  excessive  time  pressure: 
some  or  all  of  the  following  pre-conditions  (latent  factors  both  immediate  and  remote) 
may  or  may  not  be  present.  Factors  other  than  those  following  may  also  be  present. 

Time  Pressure:  The  tempo  of  the  task  is  excessive.  There  is  little  or  no 
time  to  rest  or  re-group,  “. .  .there  is  no  time  to  think.”  Operators  are  paced 
by  the  task  and  have  little  scope  to  manage  the  timeline. 

Monitoring  and  Supervision:  managers  and  supervisors  need  to  be 
aware  of  tasks  that  impose  excessive  time  pressures  and  initiate  corrective 
action. 

PROVISION  OF  Resources:  lack  of  resources,  ‘doing  more  with  less’,  can 
lead  to  excessive  tempos. 

MISSION:  inappropriate  for  the  resources  available.  The  mission  should  be 
compatible  with  the  current  capabilities  of  the  operator’s. 

OVERSIGHT:  was  it  known  that  there  were  systemic  problems  with  excessive 
time  pressure  at  the  task  level,  and  was  corrective  action  taken? 

5.4.2  Feedback  Failure:  If  Feedback  is  not  present,  such  as  when  attention  is  shifted 
prematurely  (before  goal  achievement),  there  is  a  failure  in  error  correction.  These  are 
failures  to  backup,  crosscheck  or  monitor  to  ensure  that  the  goal  has  been  achieved.  There  is 
no  time  to  close  the  loop. 

PRE-CONDITIONS  for  a  failure  in  FEEDBACK  under  excessive  time  pressure:  some  or 
all  of  the  following  pre-conditions  (latent  factors  both  immediate  and  remote)  may  or 
may  not  be  present.  Factors  other  than  those  following  may  also  be  present. 
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Time  Pressure:  The  tempo  of  the  task  is  excessive.  There  is  little  or  no 
time  to  rest  or  re-group,  .  .there  is  no  time  to  think.”  Operators  are  paced 
by  the  task  and  have  little  scope  to  manage  the  timeline. 

Monitoring  and  Supervision:  managers  and  supervisors  need  to  be 
aware  of  tasks  that  impose  excessive  time  pressures  and  initiate  corrective 
action. 

Provision  of  Resources:  lack  of  resources,  ‘doing  more  with  less’,  can 
lead  to  excessive  tempos. 

MISSION:  inappropriate  for  the  resources  available.  The  mission  should  be 
compatible  with  the  current  capabilities  of  the  operator’s. 

Oversight:  was  it  known  that  there  were  systemic  problems  with  excessive 
time  pressure  at  the  task  level,  and  was  corrective  action  taken? 

5.4.3  Time  Management  Failure:  A  failure  in  Time  management  results  from  an 
incorrect  or  inappropriate  prioritisation  of  attention.  Would  a  different  sampling  strategy  have 
helped?  There  are  essentially  two  strategies  for  managing  time  pressure,  one  can  make  the 
task  less  difficult  (meaning  less  information  to  process)  by  delegating,  postponing,  shedding 
activities  or  otherwise  making  the  task  less  complex,  or  by  extending  the  timeline  before  you 
have  to  action  the  decision  (slowing  the  task  tempo). 

PRE-CONDITIONS  a  failure  in  Time  MANAGEMENT:  some  or  all  of  the  following  pre¬ 
conditions  (latent  factors  both  immediate  and  remote)  may  or  may  not  be  present. 
Factors  other  than  those  following  may  also  be  present. 

TRAINING:  part  of  the  training  process  involves  learning  what  is  important 
and  what  can  be  ignored  and  methods  for  controlling  the  tempo.  An  effective 
time  management  strategy  depends  on  this  knowledge. 

TIME  Pressure:  task  tempos  that  are  inherently  high  generate  high  time 
pressures  and  require  the  use  of  effective  time  management  strategies. 

Monitoring  and  Supervision:  managers  and  supervisors  need  to  be 
aware  of  tasks  that  impose  excessive  time  pressures  and  initiate  corrective 
action. 

Provision  of  Resources:  lack  of  resources,  ‘doing  more  with  less’,  can 
lead  to  excessive  tempos. 

MISSION:  inappropriate  for  the  resources  available.  The  mission  should  be 
compatible  with  the  current  capabilities  of  the  operator’s. 

Oversight:  was  it  known  that  there  were  systemic  problems  with  excessive 
time  pressure  at  the  task  level,  and  was  corrective  action  taken? 

Suppose  the  crew’s  actual  action  was  not  the  intended  or  planned  response.  These  are  the  real 
errors.  Given  the  same  circumstances  they  may  not  occur  again  in  the  same  form.  Of  all  the 
categories  they  are  the  most  random  and  the  most  difficult  to  defeat.  The  failure  is  in  the 
commission  of  a  SLIP,  MISS  OR  LAPSE  and/or  in  dropping  FEEDBACK. 

5.5.1  Slips,  Misses  and  Lapses:  In  all  cases  of  Slips,  Misses  and  Lapses,  the  intended 
action  was  not  implemented.  This  is  a  failure  in  action  execution  rather  than  action  selection. 
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What  was  done  was  not  what  was  intended.  The  wrong  sequence  or  plan  was  triggered.  For 
example: 

•  Slips,  misses  and  bungles:  occur  when  the  intended  behaviour  is  ‘captured’  by  a  similar 
well-practised  behaviour  (e.g.,  operating  the  gear  lever  instead  of  the  flap  lever).  These 
are  failures  in  skill-based  behaviour.  Slips  may  occur  when:  the  intended  action  involves 
a  slight  departure  from  the  routine;  some  characteristics  of  the  stimulus  of  the  action 
sequence  are  related  to  the  inappropriate  but  more  frequent  action;  the  action  is  relatively 
automated  (skill-based  behaviour)  and  is  therefore  not  closely  monitored  (feedback). 

•  Lapses:  a  planned  response  was  not  actioned  at  the  appropriate  time,  missed  a  check  list 
item  or  a  step  in  a  procedure,  left  a  tool  in  the  work  area,  torquing  a  nut  at  the  end  of  an 
assembly  procedure,  bumping  into  something  or  inadvertently  activating  a  control. 

Lapses  are  what  might  be  called  forgetfulness,  often  precipitated  by  an  interruption. 
Lapses  are  often  seen  in  maintenance  and  installation  procedures. 

•  Mode  errors:  performing  an  action  that  is  inappropriate  in  the  current  mode  but  would  be 
appropriate  in  another  mode.  Generally  these  errors  occur  when  the  operator  forgets 
which  mode  is  selected  or  forgets  that  the  action  they  are  about  to  perform  gives  different 
than  expected  results  in  the  current  mode. 

Pre-conditions  for  Slips,  Misses  and  Lapses:  some  or  all  of  the  following  pre¬ 
conditions  (latent  factors  both  immediate  and  remote)  may  or  may  not  be  present.  Factors 
other  than  those  following  may  also  be  present.  These  are  points  of  intervention  for 
reducing  the  likelihood  that  the  slip,  miss  or  bungle  will  occur  in  the  first  place. 

TRAINING:  many  mode  errors  can  be  traced  to  an  incomplete  understanding 
(mental  model)  of  system  function. 

EQUIPMENT:  poor  equipment  design  can  result  set  the  scene  for  the  propagation 
of  these  errors.  For  Example,  proximity  of  flap  and  gear  handles,  similar  look 
and  feel  to  controls,  layout  different  to  the  conventional  arrangement. 

Organizational  Process  and  Practices:  Procedures  can  assist  in 
preventing  failures  due  to  memory  limitations  (shadow  boards  for  tools, 
independent  sign-offs,  challenge-response  methods,  noting  the  last  step 
performed  when  interrupted,  etc.).  Are  there  Standard  Operating  Procedures  for 
trapping  these  types  of  errors? 

RULES,  REGULATIONS:  are  there  Rules  and  Regulations  for  trapping  these  types 
of  errors?  For  example  the  existence  and  use  of  mandated  checklists. 

OVERSIGHT:  was  it  known  that  there  were  a  high  number  of  these  types  of 
incidents,  and  was  corrective  action  taken? 

5.5.2  Feedback  Failure:  When  Feedback  is  not  present,  such  as  when  attention  is  shifted 
prematurely  (before  goal  achievement),  there  is  a  failure  in  error  correction.  These  are 
failures  to  backup,  crosscheck  or  monitor  to  ensure  that  the  goal  has  been  achieved.  Feedback 
can  catch  unintended  responses  such  as  slips,  misses,  bungles  and  mode  errors,  as  the 
deviation  from  intended  action  is  often  easily  detected.  In  the  supervisory  role,  feedback  may 
counteract  lapses. 
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PRE-CONDITIONS  for  a  failure  to  TRAP  Slips,  Misses  and  Lapses:  This  is  a  failure  in 
FEEDBACK.  Some  or  all  of  the  following  pre-conditions  (latent  factors  both 
immediate  and  remote)  may  or  may  not  be  present.  Factors  other  than  those 
following  may  also  be  present.  These  are  points  of  intervention  for  recovering  from 
the  slip,  miss  or  bungle  after  it  has  occurred. 

TIME  Pressure:  task  tempos  that  are  inherently  high  generate  high  time 
pressures  and  require  the  use  of  effective  time  management  strategies  to 
ensure  that  feedback  is  not  dropped  for  critical  loops. 

SOCIAL:  a  strained  team  environment  is  likely  to  reduce  the  willingness  of 
team  members  to  backup  and  provide  error-correcting  feedback. 

ENVIRONMENT:  poor  lighting,  glare,  vibration  or  noise  can  reduce  cues  that 
would  facilitate  the  trapping  of  these  errors. 

Monitoring  and  Supervision:  managers  and  supervisors  need  to  be 
aware  of  tasks  that  impose  excessive  time  pressures  and  initiate  corrective 
action.  Monitoring  and  supervision  provides  error-correcting  feedback  to 
ensure  that  error  traps  are  in  place. 

Provision  of  Resources:  lack  of  resources,  ‘doing  more  with  less’,  can 
lead  to  excessive  tempos. 

MISSION:  inappropriate  for  the  resources  available.  The  mission  should  be 
compatible  with  the  current  capabilities  of  the  operators. 

Oversight:  was  it  known  that  there  were  systemic  problems  with  excessive 
time  pressure  at  the  task  level,  or  that  there  was  an  excess  of  these  types  of 
incidents,  and  was  corrective  action  taken? 
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Annex  C:  An  example  of  a  SERA  Analysis 

The  following  example  was  taken  from  the  National  Transportation  Safety  Board’s  data  base 
(http://www.ntsb.gov/NTSB/query.asp) 

NTSB  Identification:  LAX01LA065 

Accident  occurred  Tuesday,  December  26,  2000  at  COLORADO  CITY,  AZ 
Aircraft:  Cessna  T210N,  registration:  N4729C 
Injuries:  4  Minor. 

On  December  26,  2000,  about  1645  hours  mountain  standard  time,  a  Cessna  T210N, 

N4729C,  was  substantially  damaged  during  an  off-airport  forced  landing  at  Colorado  City, 
Arizona.  The  forced  landing  was  precipitated  by  a  loss  of  engine  power  during  initial  climb. 
The  airline  transport  pilot  and  three  passengers  received  minor  injuries.  Visual  meteorological 
conditions  prevailed  for  the  personal  flight  operating  under  14  CFR  Part  91,  and  no  flight  plan 
was  filed.  The  personal  flight  was  originating  at  Colorado  City  as  a  local  area  personal  scenic 
flight. 

The  pilot,  who  is  also  a  maintenance  technician,  had  just  completed  an  annual  inspection  and 
installed  an  overhauled  engine  in  the  airplane.  The  pilot  stated  that  he  had  flown  the  airplane 
three  times  for  a  total  of  about  2.5  hours. 

During  takeoff  and  initial  climb,  about  400  to  500  feet  agl,  the  engine  lost  power.  The  pilot 
activated  the  fuel  hi-boost  pump,  which  generated  brief  surges  of  engine  power.  He  performed 
a  180-degree  turn  back  towards  the  airport,  but  was  unable  to  reach  the  runway  and  collided 
with  rocky  terrain. 

The  pilot  stated  that  he  visually  checked  both  fuel  tanks  during  the  preflight,  observing  about 
1  inch  in  the  left  tank  and  about  1.5  inches  in  the  right  tank.  He  then  checked  the  fuel  gages, 
which  showed  about  half  full  for  each  tank.  At  the  time  of  the  accident  the  fuel  selector  was 
on  the  left  tank.  The  pilot  stated  that  during  a  postaccident  examination  he  found  the  left  tank 
was  empty.  He  also  reported  that  after  recovering  the  airplane  and  applying  electrical  power 
the  left  fuel  gauge  was  stuck  at  3/8  full. 

The  following  is  a  slightly  edited  version  of  the  report  generated  by  the  SERA  vl.O 
application.  Edits  are  small  and  relate  mainly  to  the  order  in  which  information  is  presented. 

It  is  intended  that  vl.l  of  the  application  will  produce  output  that  closely  follows  this  format. 

Report  Title:  NTSB  Identification:  LAX01LA065 

Report  Date:  Apr.  15,2002 

Report  Time:  4:16  PM 

Author:  Keith  Hendy 

Affiliation:  HSMG/SMART/DRDC  Toronto 
Incident  Date:  Tuesday,  December  26,  2000 
Incident  Time:  1645  hours  mountain  standard  time 
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Incident  Description:  The  airline  transport  rated  pilot,  who  is  also  a  maintenance  technician, 
had  just  completed  an  annual  inspection  and  installed  an  overhauled  engine  in  the  airplane.  He 
stated  that  he  had  flown  the  airplane  three  times  for  a  total  of  about  2.5  hours.  During  takeoff 
and  initial  climb,  about  400  to  500  feet  agl,  the  engine  lost  power.  The  pilot  activated  the  fuel 
hi-boost  pump,  which  generated  brief  surges  of  engine  power.  He  performed  a  180-degree 
turn  back  towards  the  airport,  but  was  unable  to  reach  the  runway  and  collided  with  rocky 
terrain.  He  stated  that  he  visually  checked  both  fuel  tanks  during  the  preflight,  observing 
about  1  inch  in  the  left  tank  and  about  1.5  inches  in  the  right  tank.  He  then  checked  the  fuel 
gages,  which  showed  about  half  full  for  each  tank.  At  the  time  of  the  accident  the  fuel  selector 
was  on  the  left  tank.  The  pilot  stated  that  during  a  postaccident  examination  he  found  the  left 
tank  was  empty.  He  also  reported  that  after  recovering  the  airplane  and  applying  electrical 
power  the  left  fuel  gauge  was  stuck  at  3/8  full. 


The  unsafe  act  or  unsafe  condition  that  marks  the  first  point  in  the  timeline  where  there  was  a 
departure  from  safe  operation  was: 

The  pilot  took  off  with  less  than  the  required  fuel  on  board. 


The  operator  or  crewmember  believed  the  state  of  the  world  with  respect  to  the  goal(s)  was: 
The  pilot  believed  he  had  sufficient  fuel  to  complete  the  flight. 

Additional  Remarks: 

Although  there  is  no  evidence  to  show  that  the  pilot  conducted  any  fuel  bum  calculations  he 
did  visually  check  the  fuel  state  of  each  tank  and  the  gauges  prior  to  take-off.  The  pilot 
observed  about  1  inch  of  fuel  in  the  left  tank  and  1.5  inch  of  fuel  in  the  right  tank.  The  fuel 
gauges  showed  about  1/2  full.  It  is  possible  that  the  aircraft  had  flown  at  least  2.5  hours  since 
refuelling  for  3  take  offs  and  landings. 

It  is  assumed  that  the  pilot  would  not  have  conducted  this  flight  unless  he  believed  he  had 
sufficient  fuel  on  board. 


The  intent  or  goal(s)  that  led  to  the  unsafe  act  was: 

The  pilot  intended  to  conduct  a  local  area  scenic  flight  with  passengers. 


The  operator  or  crewmember  was  trying  to  achieve  the  goal(s)  by  the  following  means: 
The  pilot  intended  to  conduct  a  normal  VFR  flight. 


PERCEPTION  FAILURES 


The  crew's  assessment  of  the  situation  did  not  match  the  actual  situation. 
Brief  Description  of  Crew's  Assessment: 
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The  pilot's  assessment  of  the  fuel  on  board  was  incorrect. 


The  operator  or  crew  had  the  pre-requisite  capability,  knowledge  or  skills  required  to  sense 
and  perceive  the  situation. 

Brief  Description  of  Crew's  Capability: 

The  pilot  was  an  ATP  with  maintenance  technician  qualifications.  He  had  just  completed  an 
annual  inspection  and  engine  replacement  on  the  aircraft.  It  can  be  assumed  that  he  had  some 
familiarity  with  the  Cessna  2 ION  and  its  systems. 


The  perceived  TIME  PRESSURE  was  not  excessive. 

Brief  Description  of  Time  Pressure: 

There  is  no  evidence  of  any  excessive  time  pressure  for  what  was  a  personal  local  area  flight. 


The  information  was  illusory  or  ambiguous. 

Brief  Description  of  Information: 

Information  regarding  the  fuel  load  (visual  tank  inspection,  fuel  gauges,  flight  time  since  last 
refuelling)  was  ambiguous.  The  fuel  gauges  gave  a  crisp  but  incorrect  indication  of  fuel  load, 
while  the  imprecise  visual  inspection  of  the  tanks  did  not  key  the  pilot  to  the  true  fuel  state. 


Conclusion: 

PERCEPTUAL  FAILURE:  The  information  was  available  but  could  be  interpreted  more  than 
one  way. 

The  AGA  135  HFACS  equivalent  terminology  for  this  failure: 

Active  Failure:  Perceptual 
Additional  Remarks: 

Visual  inspection  of  the  fuel  tanks  should  have  provided  a  clue  that  fuel  was  insufficient  for 
the  flight,  however  the  fuel  gauges  provided  a  false  indication  of  approximately  half  tanks. 

The  information  provided  was  contradictory  and  ambiguous.  The  resulting  perception  is 
likely  to  depend  on  the  order  in  which  the  information  was  obtained  and  what  information  is 
weighted  more  heavily. 

A  third  piece  of  information  was  available  but  appears  not  to  have  been  factored  into  the 
equation.  The  aircraft  may  have  flown  at  least  2.5  hours  since  refuelling.  Total  endurance  of 
a  Cessna  2 ION  is  approximately  3.5  hours  if  leaned  for  cruise  flight. 


Pre-conditions: 

The  following  pre-conditions  were  answered  "YES": 
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EQUIPMENT:  Ambiguous  displays  of  information  (visual,  auditory,  other)  can  lead  to 
misperceptions. 

The  AGA  135  HFACS  equivalent  terminology  for  the  selected  pre-conditions: 

Pre-condition:  Equipment 
Additional  Remarks: 

One  fuel  gauge  (the  left)  was  obviously  faulty  and  the  other  was  perhaps  optimistic.  The 
gauges  did  not  correctly  represent  the  fuel  state  of  the  aircraft. 

Fuel  gauges  in  light  aircraft  are  notoriously  unreliable,  yet  in  this  case  it  appears  they  were 
believed  over  other  sources  of  (conflicting)  information.  The  gauges  provide  information  in  a 
direct  and  relatively  easily  understood  fashion.  A  visual  inspection  requires  considerably 
more  complex  information  processing  to  turn  what  can  be  observed  into  a  meaningful 
measure  of  flight  time.  This  message  needs  to  be  re-enforced  in  the  community  again.  A 
pilot  should  back  up  gauge  indications  with  at  least  one  other  independent  source  of 
information. 

PERCEPTUAL  INFORMATION  PROCESSING  BIASES:  these  biases  shape  how  we  weight 
the  information  we  receive  from  the  world  (these  are  present  in  the  absence  of  time  pressure 
but  become  more  dominant  as  time  pressure  increases). 

The  AGA  135  HFACS  equivalent  terminology  for  the  selected  pre-conditions: 

Pre-condition:  Adverse  mental  states 

Additional  Remarks: 

The  order  in  which  information  was  gathered  may  have  affected  the  pilot's  perception  of  fuel 
on  board.  The  visual  inspection  should  have  given  cause  for  concern,  as  1  - 1 . 5 in  of  fuel  is 
possibly  insufficient  to  ensure  the  pick  up  remains  immersed.  Gauging  fuel  contents  from  a 
visual  inspection  is  imprecise  but  a  gauge  appears  to  give  a  crisp  indication  and  seems  to  have 
been  accepted  as  ground  truth.  Other  information  such  as  the  flight  time  since  last  refuelling 
appeared  to  be  ignored.  All  the  information  needed  to  accurately  gauge  the  fuel  state  of  the 
aircraft  was  available  but  it  was  not  congruent. 


GOAL  FAILURES 


The  goal  was  not  consistent  with  rules,  regulations  and  SOPs. 

Brief  Description  of  Relevant  Regulations: 

The  pilot  took  off  with  less  than  the  amount  of  fuel  required  for  this  flight  (flight 
time+45mins).  It  is  assumed  that  this  was  not  an  intentional  violation  of  the  Rules. 


It  was  not  a  routine  violation. 
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Conclusion: 


EXCEPTIONAL  VIOLATION:  Exceptional  violations  are  isolated  departures  from  authority 
and  not  necessarily  typical  of  an  individual's  behaviour  pattern. 

The  AGA  135  HFACS  equivalent  terminology  for  this  failure: 

Active  Failure:  Violation  -  exceptional 

Additional  Remarks: 

There  is  no  evidence  to  suggest  that  this  pilot  routinely  violates  the  Rules  and  Regulations.  It 
is  assumed  that  the  violation  was  not  deliberate  and  that  the  pilot  believed  that  the  fuel  state 
was  sufficient  for  the  trip  planned. 


Pre-conditions: 

The  following  pre-conditions  were  answered  "YES": 

INFORMATION  PROCESSING  BIASES:  limit  the  information  attended  to,  how  it  is 
perceived  and  the  actions  that  come  from  the  decision  making  process. 

The  AGA  135  HFACS  equivalent  terminology  for  the  selected  pre-conditions: 

Pre-condition:  Adverse  mental  states 

Additional  Remarks: 

The  problem  appears  to  be  with  the  incomplete  evaluation  of  the  information  available  and  the 
inability  to  resolve  conflicting  information. 


ACTION  FAILURES 


The  action  that  occurred  was  the  intended  action.  Their  action  may  not  have  had  the  intended 
results,  but  they  did  do  what  they  intended  to  do. 


The  action  (including  an  intended  no  action)  was  correct  and  adequate  to  achieve  the  goal  in 
an  appropriate  (i.e.,  converging  on  the  GOAL)  and/or  timely  fashion. 

Brief  Description  of  Action  Appropriateness: 

The  flight  was  proceeding  as  intended  until  the  first  signs  of  fuel  starvation  were  detected. 


Conclusion: 

This  conclusion  is  consistent  with  my  understanding  of  the  situation. 
The  AGA  135  HFACS  equivalent  terminology  for  this  failure: 

No  failure 
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List  of  symbols/abbreviations/acronyms/initialisms 


AC 

Aircraft  Commander 

AGL 

Above  Ground  Level 

C2 

Command  and  Control 

CF 

Canadian  Forces 

DCIEM 

Defence  and  Civil  Institute  of  Environmental  Medicine 

DFS 

Directorate  of  Flight  Safety 

DND 

Department  of  National  Defence 

DRDC 

Defence  Research  and  Development  Canada 

FMS 

Flight  Management  System 

HFACS 

Human  Factors  Accident  Classification  System 

ILS 

Instrument  Landing  System 

IP 

Information  Processing 

MDA 

Minimum  Descent  Altitude 

NTSB 

National  Transportation  Safety  Board 

PCT 

Perceptual  Control  Theory 

SERA 

Systematic  Error  and  Risk  Analysis 

SMART 

Simulation  and  Modelling  for  Acquisition,  Rehearsal  and  Modelling 

SOP 

Standard  Operating  Procedure 
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13.  DOCUMENT  ANNOUNCEMENT 


Unlimited  announcement 


14.  ABSTRACT 


(U)  A  tool  for  Systematic  Error  and  Risk  Analysis  (SERA),  based  on  a  solid  theoretical  framework 
provided  by  the  Infonnation  Processing  (IP)  and  Perceptual  Control  Theory  (PCT)  models,  has  been 
developed  for  investigating  the  human  factors  causes  of  accidents  and  incidents.  SERA  provides  a 
structured  process  for  identifying  both  active  failures  and  the  pre-conditions  that  led  to  these  failures.  In 
the  context  of  this  report,  SERA  is  developed  as  a  tool  to  help  the  accident  investigator  in  populating  the 
Canadian  Forces  version  of  the  Human  Factors  Accident  Classification  System  or  HFACS.  Yet  SERA 
provides  its  own  taxonomy  of  human  factors  causes  and  could  stand  alone,  independent  of  HFACS,  as 
both  an  investigation  tool  and  as  an  accident  classification  taxonomy.  Because  of  the  strong  separation 
between  the  active  failures  and  pre-conditions  that  mark  the  points  of  intervention  for  the  safety  system, 
SERA  can  be  extended  to  provide  a  risk  management  tool  at  both  the  tactical  (for  operators)  and  strategic 
(for  managers)  levels.  A  concept  for  a  risk  management  tool  is  developed,  based  on  12  SERA  factors  at 
the  tactical  level  and  six  SERA  factors  at  the  strategic  level.  The  use  of  a  software  tool  for  implementing 
the  steps  of  the  SERA  analysis  is  demonstrated. 

(U)  Un  outil  d’analyse  systematique  des  erreurs  et  du  risque  (SERA)  a  ete  developpe  pour  enqueter  sur 
les  facteurs  humains  en  cause  dans  les  accidents  et  les  incidents.  II  est  fonde  sur  un  cadre  theorique  solide 
elabore  a  partir  du  modele  de  traitement  de  l’information  (TI)  et  de  celui  des  principes  du  controle 
perceptif  (PCP).  La  SERA  offre  un  processus  structure  pennettant  d’ identifier  a  la  fois  les  defaillances 
actives  et  les  preconditions  ayant  mene  a  ces  defaillances.  Dans  le  contexte  de  ce  rapport,  la  SERA  a  ete 
developpee  en  tant  qu’outil  pour  aider  les  enqueteurs  sur  les  accidents  a  charger  le  systeme  d’analyse  et 
de  classification  des  facteurs  humains  (SACFH)  propre  aux  Forces  canadiennes.  Pourtant,  la  SERA  a  sa 
propre  taxonomie  des  causes  de  facteurs  humains  et  pourrait  operer  par  elle-meme,  independamment  du 
SACFH,  cornme  un  outil  d’enquete  et  coniine  une  taxonomie  de  classification  des  accidents.  Vu  le  grand 
ecart  entre  les  defaillances  actives  et  les  preconditions  amenant  des  interventions  du  systeme  de  secours, 
la  SERA  peut  aussi  servir  d’ outil  de  gestion  du  risque  aux  niveaux  tactique  (pour  les  utilisateurs)  et 
strategique  (pour  les  gestionnaires).  Un  concept  d’outil  de  gestion  du  risque  est  developpe  selon  12 
facteurs  SERA  au  niveau  tactique,  et  selon  6  facteurs  SERA  au  niveau  strategique.  L’utilisation  d’un 
outil  logiciel  pour  mettre  en  oeuvre  les  etapes  de  la  SERA  est  expliquee. 
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